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Abstract 


The  Concurrent  Logical  Framework,  or  CLF,  is  a  new  logical  framework  in  which  concurrent 
computations  can  be  represented  as  monadic  objects,  for  which  there  is  an  intrinsic  notion  of 
concurrency.  It  is  designed  as  a  conservative  extension  of  the  linear  logical  framework  LLF 
with  the  synchronous  connectives  (g),  1,  !,  and  3  of  intuitionistic  linear  logic,  encapsulated 
in  a  monad.  LLF  is  itself  a  conservative  extension  of  LF  with  the  asynchronous  connectives 
-o,  &  and  T. 

The  present  report,  the  first  of  two  technical  reports  describing  CLF,  presents  the  frame¬ 
work  itself  and  its  meta-theory.  A  novel,  algorithmic  formulation  of  the  underlying  type 
theory  concentrating  on  canonical  forms  leads  to  a  simple  notion  of  definitional  equality  for 
concurrent  computations  in  which  the  order  of  independent  steps  cannot  be  distinguished. 
The  new  formulation  of  the  framework  constitutes  an  original  contribution  even  for  the  LF 
fragment. 

For  many  additional  examples  illustrating  the  use  of  the  framework  to  specify  and  reason 
about  object  systems  of  interest,  the  reader  is  referred  to  the  companion  technical  report 
on  applications  [CPWW02]. 
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1  Introduction 

A  logical  framework  (PfeOlb,  BMOl]  is  a  meta-language  for  the  specification  and  imple¬ 
mentation  of  deductive  systems,  which  are  used  pervasively  in  logic  and  the  theory  of  pro¬ 
gramming  languages.  A  logical  framework  should  be  as  simple  and  uniform  as  possible,  yet 
provide  intrinsic  means  for  representing  common  concepts  and  operations  in  its  application 
domain. 

The  particular  lineage  of  logical  frameworks  we  are  concerned  with  in  this  paper  started 
with  the  Automath  languages  (dB80]  which  originated  the  use  of  dependent  types.  It  was 
followed  by  LF  [HHP93],  crystallizing  the  judgments-as-types  principle.  LF  is  based  on  a 
minimal  type  theory  A"  with  only  the  dependent  function  type  constructor  11.  It  nonetheless 
directly  supports  concise  and  elegant  expression  of  variable  renaming  and  capture-avoiding 
substitution  at  the  level  of  syntax,  and  parametric  and  hypothetical  judgments  in  deduc¬ 
tions.  Moreover,  proofs  are  reified  as  objects  which  allows  properties  of  or  relations  between 
proofs  to  be  expressed  within  the  framework  (Pfe91). 

Representations  of  systems  involving  state  remained  cumbersome  -imtil  the  design  of  the 
linear  logical  framework  LLF  [CP98]  and  its  close  relative  RLF  [IP98].  For  example,  LLF 
allows  an  elegant  representation  of  Mini-ML  with  mutable  references  that  reifies  imperative 
computations  as  objects.  LLF  is  a  conservative  extension  of  LF  with  the  linear  function  type 
A-o  B,  the  additive  product  type  AicB,  and  the  additive  imit  type  T.  This  type  theory 
corresponds  to  the  largest  freely  generated  fragment  of  intuitionistic  linear  logic  [HM94, 
Bar96]  whose  proofs  admit  long  normal  forms  without  any  commuting  conversions.  This 
allows  a  relatively  simple  type-directed  equality-checking  algorithm  which  is  critical  in  the 
proof  of  decidability  of  type-checking  for  the  framework  {CP98,  VCOO]. 

While  LLF  solved  many  problems  associated  with  the  representation  of  stateful  compu¬ 
tations,  the  encoding  of  concurrent  computations  remained  unsatisfactory.  In  this  report, 
we  demonstrate  that  the  limitations  of  LLF  can  be  overcome  by  extending  the  framework 
with  a  monad  that  incorporates  the  ssmchronous  cormectives  (8>,  1,  !,  and  3  of  intuitionistic 
linear  logic.  We  call  this  new  framework  Concurrent  LF  (CLF). 

The  purpose  of  this  report  is  to  describe  the  language  and  meta-theory  of  CLF.  Readers 
interested  in  examples  of  CLF  representations  can  consult  the  companion  report  {CPWW02] , 
which  demonstrates  the  expressive  power  of  CLF  through  a  series  of  examples  and,  in  par¬ 
ticular,  focuses  on  CLF’s  effectiveness  for  encoding  concurrent  programming  paradigms. 

Summary.  The  remainder  of  the  report  is  organized  as  follows.  Section  2  introduces  the 
CLF  type  theory,  including  its  syntax,  equality  judgments  and  typing  judgments.  Section  3 
discusses  how  concurrent  systems  can  be  represented  in  CLF  and  how  such  representations 
improve  on  what  is  possible  in  LLF,  and  relates  CLF  to  various  other  similar  proposals.  Sec¬ 
tion  4  describes  CLF’s  instantiation  and  expansion  operators,  which  permit  the  formulation 
of  the  framework  without  a  notion  of  /?7y-conversion,  and  describes  the  key  meta-theorems 
on  equality  and  typing.  It  also  compares  the  formulation  of  the  type  theory  seen  here  with 
previous  accotmts  of  LF  and  related  type  theories.  Finally,  Section  5  offers  some  concluding 
remarks. 
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2  A  type  theory  with  concurrent  terms 

2.1  A  language  of  concurrent  objects 

In  the  LF  tradition,  the  terms  classified  by  types  are  called  objects,  and  the  terms  classified 
by  kinds  are  called  type  constructors,  among  which  are  the  types.  CLF  has  two  categories 
of  types:  the  asynchronous  types  A  and  the  synchronous  types  S.  The  asynchronous  types 
include  all  the  type  constructors  of  LF  and  LLF,  as  well  as  a  new  monadic  type  constructor 
written  {5}.  The  synchronous  types,  which  are  only  allowed  within  the  monad  constructor, 
include  further  type  constructors  of  intuitionistic  linear  logic,  all  of  which  have  let-style 
elimination  rules.  Intuitively,  the  monad  restricts  the  availability  of  these  elimination  forms 
so  that  the  question  of  commutative  conversions  between  the  eliminations  and  other  terms 
of  the  type  theory  does  not  arise.  Sections  2.3  and  3.3  describe  this  in  further  detail.  The 
“(a)synchronous”  terminology  is  due  to  Andreoli  [And92]. 

Definition  1  (Type  constructors) 

A,B,C::=A-<iB\Ilx:A.B\AkB\T\{S}\P  Asynchronous  types 

P  ::=a  \  P  N  Atomic  type  constructors 

5  ::=  5i  (8»  52  I  1  I  3x:  A.  5  I  A  Synchronous  types 

The  eisynchronous  types  include  the  dependent  function  type  Ha: :  A.  B,  the  linear  func¬ 
tion  type  A-oB,  the  additive  product  type  AkB,  and  the  additive  unit  T.  The  monadic 
type  {5}  acts  as  a  coercion  from  the  synchronous  types  into  the  asynchronous  types.  The 
atomic  type  constructors  P  include  type  constructor  constants  o  and  the  type-level  depen¬ 
dent  application  P  N  (where  IV  is  an  object). 

The  synchronous  types  include  the  other  type  constructors  new  to  CLF:  the  multiplica¬ 
tive  product  type  Si  <8182,  the  multiplicative  imit  1,  and  the  dependent  pair  type  3a::  A.  5. 
There  is  a  trivial  coercion  from  the  asynchronous  types  into  the  synchronous  ones.  In  addi¬ 
tion,  the  exponential  type  !  of  intuitionistic  linear  logic  can  be  defined  as  a  trivial  dependent 
pair:  !A  =  3a::  A.  1. 

The  kind  language  of  CLF  is  identical  to  that  of  LF  and  LLF.  The  symbol  kind  is  also 
used  on  occasion  to  classify  the  valid  kinds. 

Definition  2  (Kinds) 


if,  L  ::=  type  I  Ha::  A.  A  Kinds 

We  often  write  A  — >  5  instead  of  IIx :  A.  B  and  A  -4  if  instead  of  IIx :  A.  if  when  B  or 
if  respectively  contains  no  free  occurrence  of  a:. 

The  CLF  type  theory  inherits  all  the  type  and  kind  constructors  of  LF  and  LLF,  and 
the  corresponding  objects.  It  differs,  however,  in  that  the  syntax  of  CLF  admits  only 
those  terms  of  LF  and  LLF  that  are  j0-normal  and  //-long — ^the  canonical  terms.  This 
simplifies  the  meta-theory  of  CLF,  and  highlights  the  importance  of  the  principle  that 
LF  representations  always  establish  a  compositional  bijection  between  terms  of  an  object 
language  and  the  canonical  objects  of  LF  of  a  given  type.  Thus,  in  CLF ,  there  is  no  notion 
of  0-  or  j)-conversion,  and  every  well-formed  term  can  be  regarded  as  “canonical.” 
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Definition  3  (Objects) 

N  ::=%x.N\  Xx.  N  \  {Ni,  N2)  \  {)  |  {E}  \  R  Normal  objects 
ii  c  1  a:  I  R'^N  |  i?  iV  1  ttiR  |  it2R  Atomic  objects 

E  ::=  \et  {p}  =  R  tn  E  \  M  Expressions 

M  ::=  Ml  ®  M2  \  1  \  [N,  M]  \  N  Monadic  objects 

p  ::=  Pi  ®  P2  I  1 1  [as. p]  1  x  Patterns 

The  first  two  categories  of  object  are  the  normal  objects  N  and  the  atomic  objects  R. 
These  correspond  to  the  quasi-canonical  and  quasi-atomic  forms  of  LF  object,  respectively, 
as  described  by  Harper  and  Pfenning  [HPOO].  A  normal  object  is  a  series  of  constructors 
applied  to  atomic  objects,  while  an  atomic  object  is  a  series  of  natural-deduction  style 
destructors  applied  to  a  variable  x  or  constant  c.  They  include  all  the  constructors  and 
destructors  of  LF  and  LLF:  the  unrestricted  function  constructor  Ax.  N  and  destructor  R  AT; 
the  linear  function  constructor  Xx.N  and  destructor  R^'N]  the  additive  pair  constructor 
{Ni,  N2)  and  destructors  ttiR  and  7r2ii;  and  the  additive  unit  constructor  (). 

In  addition,  there  is  a  constructor  {£^}  associated  with  the  monadic  type.  The  remaining 
categories  of  object,  the  expressions  E  and  monadic  objects  M,  are  associated  with  the 
monaxlic  type  and  the  additional  linear  type  constructors  (8>,  1  and  3.  They  include  the 
monadic  binding  form  let  {p}  =  J?  in  E]  the  multiplicative  pair  constructor  Mi  <81  M2  and 
pattern  pi  ®P2;  the  multiplicative  unit  constructor  1  and  pattern  1;  and  the  dependent  pair 
constructor  [N,  M]  and  pattern  [x,p].  The  monadic  binding  form  let  {p}  =  R  \nE  binds  all 
the  variables  occurring  in  the  pattern  p  within  the  expression  E.  Hence,  it  subsumes  the 
destructors  for  1,  ®,  and  3.  The  purpose  of  the  monadic  type  is  to  isolate  these  binding 
forms,  which  would  otherwise  have  a  catastrophic  effect  on  the  LF  and  LLF  fragments  of 
CLF,  as  explained  in  Section  3.2. 

Terms  which  differ  only  in  the  names  of  their  bound  variables  are  considered  to  be 
the  same.  For  the  LF  and  LLF  fragments  of  CLF,  this  is  the  only  notion  of  equality: 
two  terms  are  equal  if  and  only  if  they  are  a-equivalent.  But  expressions  differ  from  the 
other  categories  of  object  in  that  they  are  subject  to  permutative  conversions  by  which  the 
monadic  bindings  can  be  reordered: 

(let  {pi}  =  Ri  in  let  {P2}  =  R2  in  E)  =  (let  {P2}  =  R2  in  let  {pi}  =  Ri  in  E) 

Of  course,  this  rule  is  subject  to  the  proviso  that  the  bindings  be  independent:  pi  and  P2 
must  bind  disjoint  sets  of  variables,  no  variable  bound  by  pi  can  appear  free  in  R2,  and 
vice  versa.  The  reordering  of  monadic  bindings  is  the  mechanism  by  which  CLF  admits  an 
intrinsic  description  of  concurrent  computations.  We  think  of  each  let  binding  as  a  single 
computation  step.  Computation  steps  appearing  in  a  single  expression  that  are  independent 
in  the  above  sense  can  be  thought  of  as  occurring  concurrently. 

The  notion  of  equality  on  CLF  objects  could  be  characterized  as  the  least  congruence 
relation  including  the  above  equation  schema.  The  reason  is  that  having  separate  syntactic 
classes  of  objects  and  expressions  eliminates  any  need  for  commuting  conversions.  (We  do 
not  think  of  the  permutative  conversions  as  being  commuting  conversions.)  But  we  prefer 
to  define  the  framework’s  equality  in  a  slightly  different  way.  The  definition  relies  on  the 
subsidiary  concept  of  a  concurrent  context. 
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Definition  4  (Concurrent  contexts) 


c  _  I  let  {p}  =  in  e  Concurrent  contexts 

As  usual,  the  notation  e[E]  stands  for  the  expression  constructed  by  replacing  the  hole 
in  e  with  E.  Now  equality  can  be  defined  as  follows. 


Definition  5  (Equality) 

E\  =c.  E2 

Ml  =  M2 
Ml  =c  M2 

El  =  E2 


[Concurrent  equality] 

_ Ri  =  R2  El  =c  e[E2]  ^ 

(let  {p}  =  Ri  in  Ei)  =c  efiet  {p}  =  R2  in  E2] 

[Expression  equality] 

El  —c  E2 
El  =  E2 


Ni  =N2  Ri  =  R2  Ml  =  M2  Pi  =  P2 


[Other  equalities] 


(All  congruences.) 

The  judgment  Ei  =c  E2  holds  when  Ei  and  E2  represent  the  same  imderlying  concurrent 
computation  even  though  their  syntactic  representations  may  differ.  The  rule  marked  (*) 
is  subject  to  the  side  condition  that  no  variable  bound  by  p  be  free  in  the  conclusion  or 
bound  by  the  context  e,  and  that  no  variable  free  in  R2  be  bound  by  the  context  e.  (It  is 
always  possible  to  globally  a-convert  terms  being  compared  for  equality  in  order  to  avoid 
running  afoul  of  the  side  condition.) 

Then  the  equality  on  expressions  Ei  =  E2  is  simply  defined  to  be  concurrent  equality. 
While  the  definition  of  concurrent  equality  is  not  presented  symmetrically,  it  turns  out  to 
be  symmetric.  The  judgments  Ni  =  N2,  Ri  =  R2,  Mi  =  M2,  and  Pi  =  P2  are  characterized 
by  simple  congruence  rules  for  each  syntactic  form,  not  shown.  In  Section  4.5  it  is  shown 
that  equality  is  an  equivalence  relation.  When  it  is  necessary  to  refer  to  a-equivalence,  as 
opposed  to  the  framework’s  equality,  the  former  will  be  denoted  =. 

The  main  advantage  of  this  concrete  definition  of  equality  is  that  it  is  syntax  directed. 
The  sequence  of  rules  to  be  applied  is  determined  by  the  syntax  of  the  term  on  the  left,  and 
the  instantiation  of  the  metaAra.riables  in  the  rule  schemas  is  determined  up  to  finitely  many 
possibilities  (in  considering  how  to  decompose  an  expression  E  on  the  right  into  e\E']). 
Hence  it  is  manifestly  decidable  and  lends  itself  to  interpretation  as  an  algorithm. 


2.2  The  type  system  of  CLF 

We  present  first  the  type  system  of  the  LF  fragment  of  CLF ,  then  extend  it  to  the  LLF 
fragment  and  finally  the  full  language.  Before  presenting  the  typing  judgments,  it  is  nec¬ 
essary  to  introduce  the  notions  of  signature  and  context,  which  record  assumptions  about 
the  types  (or  kinds)  of  constants  and  variables  respectively. 

Definition  6  (Signatures  and  contexts,  LF  fragment) 


E::=-  \  E,a:K  \E,c:A 

r::=-  |r,a::A 


Signatures 

Unrestricted  contexts 
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It  is  an  invariant  that  variables  added  to  signatures  and  contexts  must  be  unique,  and 
the  metavariables  for  contexts  always  denote  contexts  with  unique  variables. 

There  is  a  typing  judgment  for  each  syntactic  category,  as  well  as  validity  judgments  for 
contexts  F  and  signatures  E.  Each  of  these  judgments  is  defined  in  a  completely  syntax- 
directed  manner,  so  termination  and  decidability  of  typing  is  clear.  For  normal  syntactic 
categories  (N,  A,  K)  the  operational  interpretation  of  the  type-checking  judgment  is  that 
a  putative  type  is  provided,  and  the  judgment  holds  if  the  term  can  be  typed  with  the 
given  type.  In  particular,  a  normal  term  such  as  Xx.x  may  have  several  different  types. 
This  stands  in  contrast  to  the  typical  presentation  of  LF,  where  type  labels  are  used  in 
abstractions  to  ensure  that  every  term  has  a  unique  type.  For  the  atomic  syntactic  categories 
{R,  P)  the  situation  is  different:  the  operational  meaning  of  the  typing  judgment  is  that 
it  defines  a  partial  function  from  an  atomic  term  (in  a  given  context  and  signature)  to  its 
unique  type.  The  direction  of  the  arrow  -^=  or  =?>  serves  as  a  mnemonic  for  whether  a  type 
is  being  checked  against  or  inferred,  respectively. 

In  all  cases  the  typing  judgment  is  not  considered  to  have  any  particular  meaning  unless 
the  context  and  signature  referred  to  in  the  judgment  are  valid.  For  the  normal  syntactic 
categories,  the  typing  judgment  is  meaningless  unless  the  type  referred  to  in  the  judgment  is 
valid  as  well.  For  the  atomic  syntactic  categories,  it  will  be  proved  that  whenever  a  typing 
is  derivable  and  the  context  and  signature  mentioned  in  the  typing  are  valid,  the  type 
mentioned  in  the  judgment  is  valid.  The  signature  E  subscripting  the  various  judgments  is 
often  omitted — it  is  invariant  in  the  course  of  a  typing  derivation. 


Definition  7  (Typing,  LF  fragment) 

h-  E  ok  (Signature  validity] 

I-  E  ok  hx;  iF  <=  kind  I-  E  ok  •  hs  tyP^ 

|- •  ok  hEiOiATok  HE, c:ylok 


bEFok 


l-£  r  ok  r  l"2  A  type 
hj;  •  ok  hx;  r,  x:j4  ok 


[Context  validity] 


rHK<=  kind 

r  h  type  <f=  kind 


(Kind  checking] 

r  h  -<=  type  r,  X :  A  b  jfi'  kind  „„„ 

FhnxrAii'^kind 


r  hj:  <s=  type 


[Type  checking] 


r  h  ^  type  r,  X :  >1  f-  B  type 
ri-nx:AB«!=type 


r  f-  P  =>  type 
r  h  P  <=  type 


=^type<= 


T\-zP=^K 


[Atomic  type  constructor  inference] 


_  rhP=»nx:AJi:  r\-N^A 

ri-o=^E(o)  T\-PN=^m^JkA{x.K,N) 


r  \-^  N  <=  A  [Normal  object  checking] 

r,x:AI-N^B  rhJi.a.p-  P^JP 

Tl- Xx.N  ■)‘Tlx:A.B  T  h  fl  <=  P 
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p  ^  [Atomic  object  inference] 

_ _  _  T\-  R=>Ilx  :A.B  T\-N<=A  ™ 

ri-c=J»S(c)^  r  h  a:  =»  r(a:)  FI- =>  inst_ax(a:.  B,  iV) 

The  typing  rules  [nKE]  and  [HE]  involve  the  operation  of  instantiating  a  variable  in 
a  dependent  type  (or  kind)  with  an  object.  In  the  first-order  case,  an  ordinary  capture¬ 
avoiding  substitution  will  sufiice.  However,  since  /0-redices  are  not  syntactically  allowed 
in  CLF,  at  higher  type  some  computation  must  occur  in  order  to  find  the  term  corre¬ 
sponding  to  the  result  of  the  instantiation.  This  is  achieved  by  the  instantiation  operator 
inst_ayi(x.  B,  N),  which  computes  the  result  of  instantiating  the  variable  x  in  the  type  B 
with  the  object  N.  The  instantiation  operator  is  indexed  by  the  type  A  of  the  object  being 
substituted.  In  the  first-order  case,  we  have  that  inst_aa(a:.  B,  iV)  =  [N/x]B,  but  at  higher 
type,  more  complex  situations  arise: 

inst  Ja->a(a:.  b  (Ay.  c  (x  (x  y))),  Az.  d  2)  =  b  (Ay.  c  (d  (d  j/))) 

The  instantiation  operators  for  each  syntactic  category  are  defined  in  Section  4.1. 

In  contrast  to  the  usual  presentation  of  LF  typing,  there  are  no  type  conversion  rules 
(which  would  fail  to  be  syntax  directed).  Instead,  there  is  an  appeal  to  the  equality  judgment 
in  the  rule  [=><=]  for  the  coercion  from  atomic  objects  to  normal  objects.  In  Section  4.5 
type  conversion  for  the  typing  judgments  for  normal  syntactic  categories  is  shown  to  be 
admissible. 

In  order  to  extend  the  type  system  to  the  LLF  fragment,  we  introduce  a  new  context 
for  linear  hypotheses.  We  depart  slightly  firom  the  concrete  syntax  in  adhering  to  the  usual 
convention  that  a  metavariable  like  A  denotes  an  equivalence  class  of  hnear  contexts  up  to 
rearrangement.  Note  that  there  is  no  issue  of  dependency,  as  there  would  be  in  rearranging 
an  unrestricted  context  F,  because  types  cannot  depend  on  Unear  variables. 

Definition  8  (Contexts,  LLF  fragment) 

A  ::=  •  I  Ajxf'A  Linear  contexts 

The  typing  judgments  for  objects  must  be  modified  in  order  to  account  for  linear 
hypotheses — ^the  new  formulation  depends  on  a  pair  of  contexts  F;  A  in  the  style  of  dual 
intuitionistic  linear  logic  [Bar96].  The  following  definition  includes  all  the  inference  rules 
from  the  LF  fragment  that  have  to  be  revised  for  this  reason.  Note  that  type  constructors 
and  kinds  never  depend  on  linear  variables. 

Definition  9  (Typing,  LLF  fragment) 

F  He  A  ok  [Linear  context  validity] 

F  He  A  ok  F  He  A  <=  type 
F  He  •  ok  F  He  A,xtA  ok 

F  He  A  •«=  type  [Type  checking,  extended] 

F  H  A  type  F  H  B  ^  type 
F  H  A  -o  B  type 

F  H  A  <=  type  F  H  B  <=  type 
F  H  A  &  B  <!=  type 


F  H  T  -<=  type 


TF 
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r\-sP-^K 


[Atomic  type  inference,  revised] 


rh  P=>nx:A.K  r;-hN<=A 


HKE 


r  P  N  =>mst.k a(x.K,N) 

T;  A  N  <=  A  [Normal  object  rJiecking,  revised  and  extended] 

r,x:A;  Ah  JV<!=5  _  T;  A  h  =4>  P'  P' =  P 


r-,A\-Xx.N^nx:A.B^^  r-,AhR<=P 

F;  A,i^AhN<f=B 


=><= 


r;AhXx.N<=A 
r-,Ai-Ni<=A  T;  A  h  jV2  P 


-oI 


&I 


TI 


T;  A  hs  P  ^ 


T;  Ah  (ATi.Arz) A&P  T;  A  h  ()  T 

A  [Atomic  object  inference,  revised  amd  extended] 

F;  AhP=>na;:A.P  F;  •  h  iV -«=  A 


F;  •  h  c  =?►  E(c) 


F;  •  h  I  F(x)  F;  A  h  P  iV  =r-  inst_ay4(x.  B,  N) 

F;AihP=>A-^P  r;A2hJV<J=A 


HE 


F;  x^A  X  A 

F;  AhPW  A&P 


&Ei 


F;Ai,A2hP'^Af=>P 

F;AhP=>A&P 


-oE 


&E2 


F;  A  h  TTiP  =>  A  F;  A  h  TTzP  P 

Finally,  we  are  ready  to  extend  the  type  system  to  the  full  CLF  language.  This  requires 
one  more  kind  of  context  to  record  the  types  of  patterns. 

Definition  10  (Contexts,  full  CLF) 


^  ::=  •  I  ^  Pattern  contexts 

There  are  additional  judgments  for  the  validity  of  pattern  contexts  and  synchronous 
types,  and  for  typing  expressions  and  monadic  objects.  Note  that  pattern  contexts  ’4'  are 
ordered  but  do  not  allow  dependencies. 


Definition  11  (Typing,  full  CLF) 

F  hj  ok  (Pattern  context  validity] 

F  hg  P  type  F  hg  ok 
F  hs  •  ok  F  h£  p^P,  ok 


F  hj;  A  type 


F  h  P  type 
F  h  {P}  -<=  type 


{}F 


[Type  checking,  extended] 


r  S  4=  type 


r  h  Si  <=  type  r  h  ^2  -<=  type 
r  1“  iSi  0  iS'2  ■<=  type 


0F 


(Synchronous  type  checking] 

_ _  Ip 

r  f-  1  ^  type  ^ 


r  h  ^4  <=  type  r,  a: :  >1  h  5  <=  type 
rh3a::AS4=type 
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r-,A\~^N<=A 


T-,A\-tE<-S 


T-,  A  \-E^  S 
r;  A  h  {E}  <=  {S} 


F;  Ai  h  ^  {*S^o}  T;  A2;  p^So  E  <—  S 
F;  Ai,  A2  H  (let  {p}  =  R\nE)<^S 


F;  A;  'S'  i-s  £  5 


[Normal  object  checking,  extended] 


[Expression  checking] 

T-,  Ah  M<=S 
T-,A\-Mi-S 

[Pattern  expansion] 


F;  A  H  E  5 
F;  A;  •  h  E  <(-  5 


F;  A;pi^gi,P2^g2,^H£^’H>g 
F;  A;  pi  0  P2^‘S'i  0  52,  b  E  •<-  S 

T,x  :A]  A;  p^Sp,  ^  h  E  •<—  5  . 

F;  A;  [x,  p]  ('Sx :  A  5o,  4' b  E  ^  5  ' 


F;  A;  4>  b  E  ^  5 
F;A;l^l,4'bE^5 

F;  A,  x'^'A]  4'  b  E  ^  5 
F:  A;  x'^A,  4'  b  E  ^  5  ' 


F;  A  bi;  M 


[Monadic  object  checking] 


F;  Ai  b  Ml  5i  F;  A2  b  M2  S2 


F;  Ai,  A<i  b  M]  0  M2  4=  5i  0  52  F;  •  b  1  -4=  1 

F;  •  b  JV  4=  .4  F;  A  b  M  4=  inst-Sy4(x.  5,  N) 

F;  Ab[iV,M]4=3x:A5 

The  rule  [31]  requires  another  kind  of  instantiation  operator  in  order  to  instantiate  the 
dependent  variable  in  a  dependent  pair  type. 

A  summary  of  all  the  judgments  and  rules  of  CLF  can  be  found  in  Appendix  A. 


2.3  Related  work 

As  noted  above,  CLF  includes  the  LF  and  LLF  frameworks  as  fragments,  where  the  CLF 
counterpart  of  an  LF  or  LLF  object  is  its  canonical  form  with  type  labels  omitted.  The 
CLF  extension  is  conservative;  anyone  who  knows  how  to  use  LF  or  LLF  can  bring  their 
(canonical)  specifications  to  CLF  and  use  them  without  modification.  There  is  a  further 
“modularity”  property:  given  an  LF  or  LLF  signature  Si  and  a  disjoint  CLF  signature  S2, 
both  of  which  are  valid,  and  a  type  A  well-formed  in  Si,  the  set  of  objects  of  type  A  in 
Si ,  S2  is  the  same  as  the  set  of  objects  of  type  A  in  Si  alone.  ^ 

The  LLF  framework  was  motivated  as  the  largest  fragment  of  intuitionistic  linear  logic 
having  a  proof  term  assignment  without  commuting  conversions  [Cer96].  The  equational 
theory  that  would  be  associated  with  commuting  conversions  was  seen  as  intractable. 
Pfenning  and  Davies  note  that  the  commuting  conversions  of  Moggi’s  monadic  metalan¬ 
guage  [Mog89,  Mog91]  can  be  eliminated  by  creating  a  new  typing  judgment  associated 
with  a  new  class  of  object,  the  expressions  [PDOl].  They  exhibit  a  compositional  transla¬ 
tion  from  the  monadic  metalanguage  into  their  proof  term  assignment  for  lax  logic  [FM97] . 

'The  modularity  result  does  not  hold  for  arbitrary  disjoint  CLF  signatures  Ei  and  Ej.  It  could  be 
recovered  by  replacing  the  monadic  type  constructor  with  a  countably  infinite  family  of  “tagged”  monadic 
type  constructors  and  requiring  that  the  sets  of  tags  mentioned  in  Ei  and  E2  be  disjoint. 
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The  translation  takes  monadic  metalanguage  terms  related  by  commuting  conversions  into 
identical  terms  of  the  target  language.  CLF  exploits  their  idea  to  eliminate  commuting 
conversions  that  would  otherwise  be  associated  with  the  monadic  type  and  the  synchronous 
types.  The  monadic  type  constructor  {5}  would  be  written  OS  in  lax  logic. 

Further  remarks  on  how  CLF  relates  to  frameworks  outside  the  LF  family  appear  at  the 
end  of  the  following  section. 

3  Toward  a  methodology  for  representing  concurrent  sys¬ 
tems 

The  following  are  a  few  remarks  on  the  methodology  associated  with  the  CLF  language.  For 
further  details,  the  reader  may  consult  the  companion  report  on  applications  [CPWW02]. 

A  logical  framework  in  the  LF  tradition  is  not  only  a  type  theory.  It  is  also  a  methodology 
for  representing  the  deductive  systems  of  interest  within  that  type  theory  {Pfe99].  The 
LF  methodology  represents  object-language  judgments  by  LF  types  and  object-language 
deductions  by  LF  objects.  Other  syntactic  entities  of  the  object  language  (propositions, 
expressions,  types,  etc.)  are  also  represented  by  LF  objects.  In  each  case  an  adequacy 
theorem  establishes  that  there  is  a  compositional  bijection  between  well-formed  entities  of 
the  object  language  and  well-typed  canonical  objects  in  LF  (of  a  certain  type).  The  higher 
types  and  dependent  types  available  in  LF  assist  in  this  task:  LF  abstraction  models  object- 
language  binding,  a-conversion,  and  substitution  (‘‘higher-order  abstract  syntax”  [PE88]); 
LF  abstraction  also  models  hypothetical  and  parametric  judgments  of  the  object  language; 
and  LF  dependent  function  types  enforce  well-formedness  constraints  on  object-language 
deductions. 

For  this  reason,  LF  representations  do  not  need  to  deal  explicitly  with  matters  of  variable 
binding  and  a-conversion,  and  certain  kinds  of  errors  in  specification  associated  with  such 
binding  constructs  are  impossible  to  make.  Similarly,  LF  representations  do  not  need  to 
explicitly  encode  the  relation  between  an  object-language  deduction  and  the  proposition 
that  it  proves— the  proposition  that  a  deduction  proves  becomes  an  intrinsic  part  of  its 
(dependent)  LF  type.  In  this  way,  proof  chedcing  reduces  to  LF  type  checking,  which  is 
decidable  and  efficient. 

Linear  LF  seeks  to  expand  these  benefits  to  the  case  of  linear  hypothetical  judgments. 
Linear  hypotheses  make  mutable  state  an  intrinsic  part  of  the  framework.  When  represent¬ 
ing  an  object  system  involving  mutable  state,  it  is  not  necessary  to  represent  the  state  as 
an  explicit  object,  nor  to  explicitly  specify  operations  for  adding  information  to  the  state, 
changing  it,  or  withdrawing  information  from  it.  This  idea  takes  on  a  particularly  simple 
form  when  the  state  consists  of  the  presence  or  absence  of  any  of  a  set  of  discrete  resources^ 
as  in  the  following  example. 

3.1  An  example:  Petri  nets  with  labeled  tokens 

Here  we  consider  a  simple  example  of  an  object  system  involving  state:  a  Petri  net  {Pet62] 
with  labeled  tokens.  Such  a  Petri  net  consists  of  a  directed  bipartite  graph  of  places  and 
transitions.  A  state  of  the  net  consists  of  a  mapping  from  a  finite  set  of  tokens^  each  uniquely 
labeled,  to  the  places.^  A  computation  step  consists  of  choosing  a  transition,  removing  a 

^One  requirement  of  the  LLF  representation  methodology,  when  applied  to  systems  involving  discrete 
sets  of  resources,  is  that  the  resources  be  distinguishable.  Hence  the  tokens  of  the  Petri  net  must  carry 
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ready  to  release  counter  ready  to  consume 
r  n  c 


ready  to  produce  ready  to  acquire 

Figure  1:  An  example  Petri  net 

token  from  each  of  its  antecedent  places,  and  adding  a  fresh  token  to  each  of  its  succedent 
places.  A  transition  cannot  be  chosen  if  any  of  its  antecedent  places  has  no  tokens. 

For  example,  Figure  1  shows  a  labeled  Petri  net  with  six  places  and  four  transitions. 
Our  simple  representation  of  the  net  in  the  LLF  fragment  of  CLF  models  the  places  by 
LLF  type  constants  and  the  transitions  and  tokens  by  LLF  objects.  Each  token  has  a  type 
corresponding  to  the  place  in  which  it  is  located.  (A  more  sophisticated  representation 
might  model  places  as  objects  and  introduce  a  two-place  judgment  “token  x  is  in  place 
y.")  The  transitions  are  linear  functions  in  continuation-passing  style,  “consuming”  linear 
hypotheses  associated  with  the  antecedent  places  and  introducing  new  linear  hypotheses 
associated  with  the  succedent  places.  A  type  G  represents  the  continuation.  Thus  we  have 
the  following  signatmre: 

P  :  (r  -o  G)  -o  (p  -o  G) 

p,  r,n,a,b,c  :  type  R  :  (p -o  n -o  b -o  G) -o  (r -o  G) 

G  :  type  A  :  (c  -o  G)  -o  (b  -o  b  -o  a  -o  G) 

C  :  (a  -o  G)  -o  (c  -o  G) 

The  adequacy  theorem  for  this  representation  states: 

Final  state  ,  ■  •  • ,  9n  reached  from  initial  state  pi , . .  • ,  Pm  iff  there  is  an 

object  N  such  that 

•  h  AT  4=  (gi  -c  . . .  -o  g„  -o  G)  -o  (pi  -o  . . .  -o  Pm  -o  G) 

Moreover,  there  is  a  bijection  between  sequences  of  firings  of  the  transition  rules 
of  the  Petri  net  and  such  canonical  objects. 

Two  examples  of  such  objects  are  as  follows.  The  first  represents  the  firing  of  R  following 
by  the  firing  of  A  in  the  shown  initial  state.  The  second  shows  the  same  firings  in  the 
opposite  order.  Here  the  abbreviation  Xxi,X2,  •  •  •  >  Xn-  ^  stands  for  a  curried  sequence  of 
linear  A-abstractions.  The  outermost  A-abstractions  have  been  elided. 

unique  labels.  It  is  possible  that  proof  irrelevance  (PfeOla]  could  offer  a  way  of  modeling  indistinguishability. 
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A  =  /^(c -o  b -o  b -o  n -o  n -o  n -o  p -o  G), 

ri^r,  ni^n,  n2^r\,  6i^b,  62  ^b,  63 '?b,  ai^a 

•;  A  I-  R^(^pi,n3,t4- <^=  G 
•;  A  I-  A'^(^ci.  R'^(^pi,n3,64. /^Ci^fc3%^i^n2^n3'^pi)\i)%%'^ai  <=  G 

The  benefit  of  the  LLF  methodology  is  clear:  it  is  not  necessary  to  explicitly  manage  a 
“list”  of  tokens  and  axiomatize  operations  for  adding  and  removing  tokens  from  the  list,  as 
one  would  have  to  do  in  LF.  In  LF  one  would  also  have  to  prove  various  interaction  laws  for 
the  token-list-managing  operations;  in  LLF,  the  required  principles  are  proved  once  and  for 
all  as  structural  laws  of  the  framework’s  linear  hypothetical  judgment.  However,  there  is  also 
room  for  improvement.  We  might  have  hoped  for  an  adequacy  theorem  relating  LLF  objects 
to  concurrent  computations  of  the  Petri  net,  that  is,  equivalence  classes  of  computations 
■under  rearragement  of  independent  steps.  But  this  strengthened  adequacy  theorem  does  not 
hold.  For  example,  the  two  LLF  terms  above  correspond  to  computations  differing  only  in 
the  order  of  independent  R  and  A  steps:  no  labeled  token  indexing  the  R  step  is  involved  in 
the  A  step,  and  vice  versa.  But  the  structure  of  the  LLF  representation  noiietheless  requires 
that  the  two  orderings  be  represented  by  different  terms.  In  essence,  the  continuation¬ 
passing  style  of  the  representation  forces  a  sequentialization  of  the  computation. 

3.2  Representing  LPNs  in  CLF 

It  is  tempting  to  think  that  this  issue  can  be  solved  by  adding  more  connectives  to  the 
framework.  Why  not  work  ■with  a  framework  containing  a  full  complement  of  linear  logical 
operators  (including  1,  A®  B,  \A)  and  replace 

Cfc  :  (gi  -o  . . .  -o  -o  G)  -o  (pi  -o  . . .  -o  -o  G) 

with  the  apparently  more  straightforward 

df^:p\®  .  ■  .®Pm-o 

Unfortunately,  such  an  extension  would  not  be  conservative  over  the  LF  and  LLF  frag¬ 
ments  of  the  type  language.  In  fact,  it  would  have  a  catastrophic  effect  on  adequacy  rraults 
for  even  very  simple  LF  encodings.  Consider  a  simple  LF  representation  of  the  natural 
numbers  together  with  an  additional  constant  c  of  multiplicative  unit  type: 

nat  type  s  :  nat  nat 

z  :  nat  c  :  1 

The  problem  is  that  terms  such  as  (let  1  =  c  in  z  :  nat)  destroy  the  bijective  correspondence 
of  the  type  nat  with  the  set  of  natural  numbers.^  Similar  examples  would  arise  in  the 
presence  of  a  constant  of  type  A®B,\A,A®  B,  or  0.  So  the  adequacy  of  the  LF  encoding 
is  destroyed  by  the  presence  of  even  a  single  object  constant  having  a  type  given  by  one  of 
the  new  type  constructors. 

The  underlying  problem  is  that  the  destructors  associated  with  these  synchronous  types 
involve  “polymorphic”  binding  constructs  that  do  not  constrain  the  type  of  the  object 

^Examples  such  as  (^x.  let  1  =  x  in  z  :  1  -0  nat)  show  that  the  term  above  cannot  simply  be  equal  to  z. 
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resulting  from  the  binding.  CLF’s  monadic  type  extracts  us  from  this  difficulty  by  restricting 
the  awkward  binding  constructs  to  the  monad.  This  encapsulation  protects  the  pure  LF 
and  LLF  fragments  of  CLF  from  the  new  constructs.  All  encodings  already  devised  for 
LF  or  LLF  remain  adequate,  and  their  adequacy  proofs  can  remain  exactly  the  same. 
Furthermore,  as  has  already  been  noted,  the  separation  between  expressions  and  object 
rules  out  commuting  conversions,  simplifying  the  equational  theory. 

Using  CLF’s  multiplicative  conjimction  ®,  our  transition  rule  can  be  rewritten  as 

cJJ :  Pi  -o  . . .  -o  -o  {gi  (8> . . .  ®  g„} 

where  currying  eliminates  the  use  of  <Si  on  the  left-hand  side.  The  multiplicative  umt  1 
covers  the  case  n  —  0-  Though  it  does  not  arise  here,  a  modified  model  of  Petri  nets  might 
also  have  transitions  generating  elements  of  persistent  (unrestricted)  type.  In  that  case  we 
would  have  exponentials  \q  on  the  right  as  well.  (Exponentials  on  the  left  can  be  curried 
away  using  the  uiu'estricted  function  type.) 

As  an  aside,  while  one  might  think  that  the  presence  of  the  exponential  type  constructor ! 
would  render  the  intuitionistic  function  type  A  -4  B  definable  by  {!A}  -o  B,  this  is  not 
in  fact  the  case.  As  a  simple  counterexample  we  may  see  that  while  a  -4  a  (a  being  an 
uninhabited  atomic  type)  is  inhabited  by  Xx.x,  the  type  {!a}  a  is  not  inhabited.  The 

type  {!a} -o  {a}  is  inhabited  by  {let  {!y}  =  a:  in  y},  however. 

Thus,  in  CLF,  the  Petri  net  example  is  represented  almost  as  in  intuitionistic  linear 
logic,  except  that  the  right-hand  sides  of  the  linear  implications  use  the  monad. 

P  :  P^{r} 

R  :  r  -o  {p  (8»  n  (S)  b} 

A  :  b  -o  b  -o  a  -o  {c} 

C  :  c  -o  {a} 

The  two  example  Petri  net  executions  shown  above  in  the  LLF  encoding  correspond  to 
the  following  objects  in  the  new  encoding: 

A  =  ri'^r,ni^n,n2'^n,bi%,b2^b,b3%,ai'^'a 
S  =  c^b®b®n®niS>n®p 

•;  A  h  {let  {pi  0  ns  ®  64}  =  in  let  {c-i}  =  in 

Cl  0  63  <8>  64  ®  m  ®  ®  «3  <8»  Pi }  <=  {-5} 

•;  A  h  {let  {ci}  =  A'^61%^01  in  let  {pi  0  na  0  64}  =  in 
Cl  0  63  0  64  ®  «i 'S' ®  ®  Pi} 

It  is  now  easy  to  see  that  the  two  executions  are  equal.  This  idea  is  crystallized  as  an 
improved  adequacy  theorem: 

Final  state  qi,...,qn  can  be  reached  from  initial  state  pi,  • . .  ,Pm  iff  there  is  a 
object  N  such  that 

•  h  TV  Pi  -o  . . .  -o p„i  -o  {(?i  0  . . .  0  qn} 

Moreover,  there  is  a  bijection  between  concurrent  executions  of  the  transition 
rules  of  the  Petri  net  and  equivalence  classes  of  such  objects  modulo  =. 
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While  at  first  this  raay  seem  a  minor  modification,  it  has  far-reaching  consequences. 
Experience  with  logical  frameworks  has  shown  many  times  that  natural  encodings  lead  to 
deeper  understanding  of  the  underlying  logical  and  computational  principles,  while  con¬ 
trived  encodings  often  do  not  shed  much  light  on  the  subject  of  study.  These  advantages 
are  multiplied  when  considering  algorithms  for  manipulating  the  representations,  for  proof 
search,  and  for  meta-theoretic  reasoning,  because  the  principles  embodied  in  and  provided 
by  the  framework  have  been  factored  out  and  do  not  need  to  be  re-implemented  for  each 
encoding. 

The  representation  principle  for  CLF,  then,  can  be  summarized  by  ‘^concurrent  com¬ 
putations  as  monadic  expressions.”  Each  computation  step  in  a  concurrent  computation 
becomes  a  binding  let  {p}  =  R  \n  E  possibly  “consuming”  some  linear  hypotheses  in  R 
and  “producing”  more  linear  hypotheses  in  p,  which  will  be  available  in  the  rest  of  the 
computation  E, 

While  there  is  not  space  here  to  discuss  more  interesting  examples  of  CLF  represen¬ 
tations,  the  companion  technical  report  (CPWW02]  contains  examples  including  a  fuller 
discussion  of  Petri  net  encodings;  synchronous  and  asynchronous  7r-calculi;  an  ML-like 
language  with  references  and  concurrency  in  the  style  of  CML;  and  the  security  protocol 
language  MSR. 

3.3  Related  work 

The  LF  representation  methodology  is  discussed  in  detail  in  the  handbook  article  on  log¬ 
ical  frameworks  by  Pfenning  [Pfe99].  Further  examples  of  CLF  representations,  includ¬ 
ing  a  full  development  of  the  Petri  net  example,  are  in  the  technical  report  by  Cervesato 
et  al.  [CPWW02].  The  idea  of  representing  Petri  nets  by  linear  hypothetical  judgments  has 
a  long  history,  going  back  to  Marti-Oliet  and  Meseguer  [MOM91]. 

Monadic  encapsulation  in  the  context  of  functional  programming  and  type  theory  begins 
with  Moggi’s  monadic  metalanguage  [Mog89,  Mog91].  Prawitz  describes  a  proof  theory  for^ 
modal  logics  [Pra65],  from  which  Moggi’s  presentation  of  the  monadic  metalanguage  in¬ 
herits.  Pfenning  and  Davies  [PDOl]  revisit  the  question  of  proof  theory  for  modal  logic, 
reinterpreting  it  on  the  basis  of  a  judgmental  approach  in  the  style  promulgated  by  Martin- 
Lof  [ML96].  Their  approach  improves  on  the  original  formulation  of  the  monadic  metalan¬ 
guage  in  that  commuting  conversions  are  no  longer  needed.  Their  judgmental  analysis  of 
the  modal  operator  of  lax  logic  is  the  basis  for  CLF’s  modal  type  constructor  and  the  as¬ 
sociated  CLF  judgments.  They  do  not,  however,  consider  the  existence  of  canonical  forms, 
and  their  proof  term  language,  unlike  CLF,  relies  on  ^7?-conversion. 

There  have  been  many  other  formalisms  proposed  for  the  representation  of  concurrent 
systems,  many  having  elements  in  common  with  the  CLF  approach.  Abramsky’s  “proofs- 
as-processes”  relates  classical  linear  logic  with  the  synchronous  7r-calculus  [Abr93,  BS94]. 
Here  concurrent  computation  corresponds  to  proof  normalization  (cut  elimination),  giving 
the  system  a  functional  flavor.  Concurrent  computations  (traces)  are  thus  not  reified  as 
objects,  as  they  are  in  CLF. 

Closer  to  the  CLF  view  are  approaches  in  which  logical  formulas  are  identified  with 
processes  and  proofs  with  concurrent  computations.  Thus,  these  are  nearer  to  logic  pro¬ 
gramming  in  the  sense  of  proof  search  [MNPS91]  than  to  functional  programming.  For 
example,  Miller  outlines  a  translation  from  the  7r-calculus  into  linear  logic:  processes  be¬ 
come  LL  propositions  and  7r-calculus  reduction  becomes  LL  entailment  [Mil92] .  These  ideas 
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are  generalized  and  reformulated  as  a  logical  framework  in  Miller’s  proposal  for  the  specifi¬ 
cation  logic  Forum  [Mil96,  Chi95].  Forum  offers  a  paradigm  for  viewing  logic  programming 
as  concurrent  computation,  and  so  it  is  likely  that  the  logic  programming  interpretation 
for  CLF  will  draw  heavily  from  it.  However,  in  Forum  proofs  cannot  be  manipulated  as 
first-class  objects — ^not  even  cut  elimination  is  treated,  let  alone  an  equational  theory  on 
proofs.  The  same  is  true  of  LinLog  [And92],  LO  [AP91],  ACL  [KY93],  Lygon  [HPW96], 
and  LLP  [HWTK98],  all  of  which  treat  logic  programming  over  other  fragments  of  classical 
or  intuitionistic  linear  logic. 

Perrier  describes  how  the  basic  idea  of  linear  logic  programming  as  concurrent  compu¬ 
tation  can  be  improved  by  adopting  proof  nets  (Gir87]  rather  than  sequent  calculus  proofs 
as  the  fundamental  computational  objects  [Per98].  Again,  however,  proof  nets  are  treated 
only  meta-theoretically— they  are  not  first-dass  terms  of  the  process  language.  The  key 
foundational  idea  of  Elf,  that  proofs  should  be  just  like  any  other  objects  of  the  framework, 
does  not  apply. 

Barber  proposes  a  very  general  type  theory  based  on  linear  operators  and  proves  decid¬ 
ability  in  the  general  framework  [Bar97].  Since  the  generalization  indudes  the  DILL  type 
theory  and  the  action  calculus  as  special  cases,  this  immediately  entails  the  decidability 
of  the  DILL  type  theory.  However,  there  is  no  treatment  of  dependent  types,  nor  would 
DILL  be  adequate  for  LF-style  representations  for  the  reasons  outlined  in  Section  3.2.  Also, 
the  presentation  does  not  seem  to  lend  itself  to  concrete  implementation  as  a  mechanized 
framework.  Finally,  Barber’s  reliance  on  proof  nets  would  seem  to  render  the  extension 
to  additive  sum  types  problematic,  while  for  CLF  it  is  straightforward,  because  the  issue 
of  commuting  conversions  (other  than  an  appropriate  generalization  of  the  permutative 
conversions)  does  not  arise. 

Honsell  et  al.  develop  perhaps  the  most  significant  application  of  a  logical  framework 
in  the  sphere  of  concurrency  (HMSOl).  They  present  an  encoding  of  the  7r-calculus  in  the 
Coq  system,  a  framework  based  on  a  higher-order  type  theory  with  (co)inductive  types, 
and  work  out  some  rather  advanced  meta-theory  using  the  encoding.  But  this  should  be 
regarded  as  a  tour  de  force,  given  that  Coq  offers  no  intrinsic  support  for  reasoning  about 
concurrency.  Of  course,  even  in  CLF,  abstract  relations  like  the  stronp  lote  bisimulnrity 
treated  in  their  development  would  need  to  be  treated  explicitly.  CLF’s  concurrent  equality 
simplifies  such  reasoning;  it  does  not  obviate  the  need  for  it. 

4  Some  meta-theoretic  results 

The  design  of  CLF  is  based  on  the  idea  that  every  syntactically  well-formed  term  should  be 
“canonical,”  and  that  the  notion  of  /07;-conversion  should  be  eliminated,  in  favor  of  simple 
inductively  defined  instontiotion  operators  for  instantiating  a  variable  in  a  term  with  an 
object.  Thus,  in  developing  the  meta-theory  of  CLF  there  is  no  need  to  consider  issues  such 
as  confluence  and  normalizability  per  se.  Instead,  we  define  the  instantiation  operators 
by  a  manifestly  terminating  recurrence,  and  we  focus  on  the  simple  algebraic  laws  that 
the  instantiation  operators  satisfy,  and  on  their  interaction  with  the  framework  s  notion  of 
equality. 

Another  new  element  of  this  approach  is  an  expansion  operator  taking  an  atomic  object 
to  the  corresponding  normal  object  at  higher  type.  This  is  necessary  because  the  coercion 
rule  from  atomic  objects  to  normal  objects  can  only  be  applied  at  base  type.  The 

expansion  operator  thus  replaces  the  idea  of  77-conversion. 
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Once  the  instantiation  and  expansion  operators  have  been  defined,  and  their  algebraic 
properties  characterized,  it  is  possible  to  describe  their  relationship  to  the  judgments  for 
typing.  It  so  happens  that  the  instantiation  operators  witness  the  familiar  substitution 
principles  for  typing  (the  transitivity  of  entailment,  from  the  proof-theoretic  point  of  view), 
and  the  expansion  operator  witnesses  the  identity  principles  for  typing  (the  reflexivity  of 
entailment). 

4.1  Instantiation 

The  recurrence  defining  instantiation  is  based  on  the  observation,  exploited  in  cut  elimina¬ 
tion  proofs  on  the  logical  side  [PfeOO],  but  not  so  well  known  on  the  type  theoretic  side, 
that  the  canonical  result  of  substituting  one  canonical  term  into  another  can  be  defined  by 
induction  on  the  type  of  the  term  being  substituted.  Accordingly,  the  instantiation  oper¬ 
ators  are  defined  as  a  family  parameterized  over  the  type  of  the  object  being  substituted. 
In  the  notation  inst_c>i(x.  X,  N)  this  type  A  appears  as  a  subscript.  Here  c  is  replaced  by  a 
mnemonic  for  the  particular  syntactic  category  to  which  the  instantiation  operator  applies. 
The  variable  x  is  to  be  considered  bound  within  the  term  X  (of  whatever  category)  being 
substituted  into.  The  operators  defined  in  this  section  should  be  thought  of  as  applying  to 
equivalence  classes  of  concrete  terms  modulo  a-equivalence  on  boimd  variables. 

Together  with  the  instantiation  operators,  and  defined  by  mutual  recursion  with  them, 
is  a  reduction  operator  reduceyi(a:.  i?,  N)  that  computes  the  canonical  object  resulting  from 
the  instantiation  of  rr  with  N  in  the  case  that  the  head  variable  head(i2)  of  the  atomic 
object  R  is  x.  Thus,  roughly  speaking,  it  corresponds  to  the  idea  of  weak  head  reduction 
for  systems  with  /^-reduction.  The  instantiation  operator  inst_ryi(a;.  ii,  iV),  by  contrast,  is 
only  defined  if  the  head  of  R  is  not  x.  Another  distinguishing  feature  is  that  reduction  on 
an  atomic  object  yields  a  normal  object,  while  instantiation  on  an  atomic  object  yields  an 
atomic  object. 

Finally,  there  is  a  type  reduction  operator  treduce^(x.  R)  that  computes  the  putative 
type  of  R  given  that  the  head  of  i?  is  x  and  the  type  of  x  is  A^  Type  reduction  is  used  in 
side  conditions  that  ensure  that  the  recurrence  defining  instantiation  is  well-founded. 

The  first  definition  covers  the  LF  fragment  of  CLF. 

Definition  12  (Instantiation,  LF  fragment) 

tr educe Aix,  R)  =  B  [Type  reduction] 

treduceyi(x.x)  =  A 

treduce^i {x.RN)  =  C  if  treduceyi (x.  R)  =  Tly  :B.C 
reduce^i  (x.  J?,  Nq)  =  N'  [Reduction] 

reduce>i(x.  x,  Nq)  =  Nq 

reduceyi(x.  R  Ny  Nq)  =  inst_nB(y*  N\  inst_n4(x.  AT,  Nq)) 

if  treduceyi(x.  JR)  ^  Ily:B.  C  and  reduce>i(x.  i?,  Nq)  =  Ay.  AT' 

^Actually,  to  be  more  precise,  the  type  of  R  will  be  a  substitution  instance  of  treducey4(a:.  R).  The 
instantiation  operators  do  not  keep  track  of  dependencies  within  the  type  subscript. 
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\nst.rA{x.R,No)  =  R'  [Atomic  object  instantiation] 

inst_r>i(a;.  c,  No)  =  c 

inst_r^(a:.  y,  No)  =  y  if  y  is  not  a: 

inst.r^(a:.  R  N,  No)  =  (inst.r^(a:.  R,  No))  (inst.n>j(a;.  N,  No)) 
inst_nyi(a;.  N,  No)  =  N'  [Normal  object  instantiation] 

inst.n^(a:.  Ay.  N,  Nq)  =  Ay.  inst.nxCa;.  N,  No)  if  y  ^  FV(iVo) 
inst.n/i(x.  R,  No)  =  inst_ryj(a:.  R,  No)  if  head(ii)  is  not  x 
inst-n/i(x.  R,  No)  =  reduce^(x.  R,  No)  if  treduce>i(a:.  R)  =  P 

inst-pyi(a:.  P,  No)  =  P'  [Atomic  type  constructor  instantiation] 

inst.a^(a:.  A,  No)  =  A'  [Type  instantiation] 

inst.k„(x.  K,  No)  =  K'  (Kind  instantiation] 

(Analogous.) 

The  recurrence  defining  these  operators  is  based  on  a  structural  induction.  There  is  an 
outer  induction  on  the  type  subscripting  the  operators,  and  an  inner  simultaneous  induction 
on  the  two  arguments.  Noting  first  that  if  treduceyi(a:.  R)  is  defined,  it  is  a  subterm  of  A, 
the  fact  that  the  recurrence  relations  respect  this  induction  order  can  be  verified  almost  by 
inspection.  The  only  slightly  subtle  case  is  the  equation  for  reduceyi(x.  R  N,  No),  which  is  the 
only  case  in  which  the  subscripting  type  changes.  Here  the  side  condition  treduce^(x.  R)  = 
Ux  .B.C  ensures  that  B  must  be  a  strict  subterm  of  A  for  the  reduction  to  be  defined.  An 
instantiation  such  as  inst_nj4(x-  x  x,  Ax.  x  x)  is  guaranteed  to  fail  the  side  condition  after 
only  finitely  many  expansions  of  the  recurrence. 

Another  way  in  which  an  instance  of  the  instantiation  operators  might  fail  to  be  defined 
would  be  if  the  recursive  instantiation  inst_r>i(x.  R,  No)  in  the  same  equation  failed  to  result 
in  a  manifest  lambda  abstraction  Ay.  N'.  In  fact,  this  could  only  happen  if  the  term  Nq  failed 
to  have  the  ascribed  type  A.^  So  instantiation  always  terminates,  regardless  of  whether  its 
arguments  are  well  typed,  but  it  is  not  defined  in  all  cases.  After  the  meta-theory  is  further 
developed,  it  can  be  shown  that  instantiation  is  always  defined  on  well-typed  terms  when 
the  types  match  in  the  appropriate  way. 

No  substantially  new  issues  arise  in  the  extension  to  the  LLF  fragment. 

Definition  13  (Instantiation,  LLF  fragment) 

treduce,4(x.i?)  =  H  [Type  reduction,  extended] 

treduceyi(x.  R'^N)  =  C  if  treduce^(x.  R)  =  B-oC 
treducej4(x.  niR)  =  By  if  treduce4(x.  R)  =  Bik  Ba 
treduceyi(x.  TTaii)  =  Ba  if  treduce>i(x.  B)  =  Bi  &Ba 
reduce,4(x.B,Aro)  =  AT'  [Reduction,  extended] 

reduceyi(x.  R'^N,  No)  =  inst-nB(y.  N',  inst_nyi(x.  N,  No)) 

if  treduceyi(x.  R)  =  B  -oC  and  reduce,4(x.  R,  No)  =  Ay.  N' 
reduceyi(x.  ttiB,  Nq)  =  Ni  if  reduce^(x.  R,  No)  =  {N[,  iVj) 
reduce^(x.  7raB,  Nq)  =  N'^  if  reduceyi(x.  R,  Nq)  =  {N{,  A/j) 


^Or  a  substitution  instance  of  A, 
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inst_r/i(a:.  R,  Nq)  =  R'  (Atomic  object  instantiation,  extended] 

inst_ryi(a:.  R^N,  Nq)  =  (inst.r^(a;.  R,  No))'^i\r\st.rA{x.  N,  No)) 
inst_ryi(x.  n^R,  Nq)  =  7ri(inst_ryi(a;.  R,  Nq)) 
inst_r^(a:.  W2R,  No)  =  7r2(inst_r,4(x.  R,  No)) 

inst-n,4(x.  N,  No)  =  N'  [Normal  object  instantiation,  extended] 

inst_n^(x.  ^y.  N,  No)  =  Aj/.  inst-n,4(x.  N,  No)  if  y  ^  FV(Aro) 
inst.n/i(x.  {Ni,  A/2),  No)  =  (inst_n>i(x.  Ni,  Nq),  inst-n^(x.  N2,  No)) 
inst.n>i(x.  (),No)  =  0 

In  order  to  extend  this  idea  to  the  full  CLF  language,  with  its  pattern-oriented  destructor 
for  the  monadic  type,  it  is  necessary  to  introduce  matching  operators  m3tch.cs{p- E,X), 
where  X  is  either  am  expression  or  a  monadic  object.  The  matching  operator  computes 
the  result  of  instantiating  E  according  to  the  substitution  on  the  variables  of  p  generated 
by  matching  p  against  X.  (The  variables  in  p  should  be  considered  bound  in  E.)  In  the 
case  that  X  is  a  monadic  object  Mo,  this  is  straightforward:  the  syntax  of  monadic  objects 
corresponds  precisely  to  that  of  patterns.  But  in  the  case  that  X  is  a  let  binding,  an 
interesting  issue  arises: 

match_e5'(p.  let  {pi}  =  Ri  in  Ei,  let  {p2}  =  R2  in  E2)  =  ? 

The  key  is  found  in  Pfenning  and  Davies’  non-standard  substitutions  for  the  proof  terms 
of  the  modal  logics  of  possibility  and  laxity  [PDOl].  These  analyze  the  structure  of  the 
object  being  substituted,  not,  as  in  the  usual  case,  the  term  being  substituted  into.  The 
effect  is  similar  to  a  commuting  conversion: 

match_es(p.  let  {pi}  =  Ri  in  Ei,  let  {p2}  =  R2  in  E2)  = 

(let  {P2}  =  i?2  in  match-es(p.  let  {pi}  =  Ri  in  Ei,E2)) 

It  is  interesting  that  both  non-standard  substitution  and  pattern  matching — ^the  latter 
not  present  in  Pfenning  and  Davies’  system — ^rely  in  this  way  on  an  analysis  of  the  object 
being  substituted  rather  than  the  term  being  substituted  into.  In  a  sense,  this  commonality 
is  what  makes  the  hzurmonious  interaction  between  CLF’s  modality  and  its  synchronous 
types  possible. 

Definition  14  (Instantiation,  full  CLF) 

inst_n>i(x.  N,  Nq)  =  N'  (Normal  object  instantiation,  extended] 

inst.ny4(x.  {JS},  No)  =  {inst-eyi(x.  E,  No)} 

inst_m.4(x.  M,  No)  =  M'  (Monadic  object  instantiation] 

inst.m,4(x.  Mi  ®  M2,  No)  =  inst-m^(x.  Mi,  No)  <8>  inst-myi(x.  M2,  No) 
inst_myi(x.  1,  No)  =  1 

inst-m/i(x.  [N,  M],  No)  =  [inst_n4(x.  N,  No),  inst.myi(x.  M,  No)] 
inst_myi(x.  N,  No)  =  inst-n^(x.  N,  No) 
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inst_eA(x.  E,  No)  =  E'  (Expression  instantiation] 

inst.e^(x.  let  {p}  =  i?  in  No)  =  (let  {p}  =  inst-r^(£C.  R,  No)  in  inst.e^(x.  E,  No)) 
if  head(jR)  is  not  x, 
and  FV(p)  n  FV{No)  is  empty 

inst-eA(®.  let  {p}  =  /?  in  No)  =  match.es(p.  inst.e/i(a:.  E,  No),  E') 
if  treduce>i(a:.  R)  =  {5},  reduce>i(a:.  R,  No)  =  {-E'}, 
and  FV(p)  n  FV(iVo)  is  empty 
inst.e/i(a:.  M,  No)  =  inst_m/i(x.  M,  No) 

match.msip.E,Mo)  =  E'  [Match  monadic  object] 

match.m5,®sj(pi  ®P2.  E,  Mi  O  M2)  =  match.m5j(p2.  match.msj  (pi .  FJ,  Mi),  M2) 
if  FV(p2)  n  FV(Mi)  is  empty 
match_mi(l.  jE,  1)  =  jE 

match_m3x;A.s([a:,p]-  E,  [N,  M])  =  match_m5(p.  inst.eyi(a:.  E,  N),  M) 
if  FV(p)  n  FV(Ar)  is  empty 
match_m/i(a:.  E,  N)  =  inst_eyi(x.  E,N) 

match.es(p.  E,  Eo)  =  E'  [Match  expression] 

match_e5(p.  E,  let  {po}  =  Ro  in  Eo)  =  let  {po}  =  in  match_e5(p.  E,  Eo) 
if  FV(po)  n  FV(£:)  and  FV(p)  n  FY{Eo)  are  empty 
match_e5(p.  E,  Mo)  =  match-m5(p.  E,  Mo) 

inst_s^ (i.  S,  No)  =  S'  [Synchronous  type  instantiation] 

(Analogous.) 

We  interpret  these  recmrences  as  inductive  definitions  (adopting  the  least  solution  to 
the  recurrence).  The  first  theorem  ensures  that  type  reduction  has  been  properly  defined. 
There  are  also  two  lemmas,  one  of  which,  mentioned  earlier,  ensures  that  type  reduction 
makes  a  type  smaller.  All  are  immediate  by  structural  induction  on  the  argument. 

Theorem  1  (Definability  of  type  reduction) 

The  recurrence  for  type  reduction  uniquely  determines  a  least  partial  function  solving  the 
recurrence. 

Lemma  2 

If  treducex(x.  R)  is  defined,  then  head(/Z)  is  x. 

Lemma  3 

//treduce/i(x.  R)  =  B,  then  B  is  a  subterm  of  A. 

Now  we  can  conclude  that  instantiation  has  been  properly  defined. 

Theorem  4  (Definability  of  instantiation) 

The  recurrence  for  the  reduction,  instantiation,  and  matching  operators  uniquely  determines 
the  least  partial  functions  (up  to  a-equivalence)  solving  them. 

Proof.  The  proof  is  by  an  outer  structural  induction  on  the  type  subscript,  and  an  iimer 
simultaneous  structural  induction  on  the  two  arguments.  Cl 
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4.2  Expansion 

The  expansion  operator  is  specified  by  the  following  equations.  In  some  cases,  new  bound 
variables  are  introduced  on  the  right-hand  side  of  an  equation.  Any  new  variables  in  an 
instance  of  such  an  equation  are  required  to  be  distinct  from  one  another  £ind  from  any 
other  variables  in  the  equation  instance. 

Definition  15  (Expansion) 

expa  nd^  {R)  =  N  [Expansion] 

expandp(J?)  =  1? 

expand^^p(/?)  =  %x.  expandp(i2^(expandyi(x)))  if  x  ^  FY{R) 
expandna;.^  j5(i?)  =  Ax.  expandp{i?  (expand^ (x)))  if  x  ^  FY{R) 
expand^fcp(ii)  =  (expand^(7ri/2),expandp(7r2ii)) 
expandT(il)  =  () 

expand{5j(i?)  =  (let  {p}  =  i?  in  pexpand5(p)) 

pexpand5(p)  =  M  [Pattern  expansion] 

pexpand5j^52(Pi  ®  P2)  =  pexpand5j(pi)  0  pexpBnds^{p2) 
pexpandi(l)  =  1 

pexpand^^..^  5([x,p])  =  [expand4(x),  pexpand5(p)] 
pexpand^(x)  =  expand^(x) 

Theorem  5  (Definability  of  expansion)  i.  If  pexpand5(pi)  and  pexpand5(p2)  o,re 
both  defined  then  pi  and  p2  are  the  same  up  to  variable  renaming. 

2.  Given  S,  there  is  a  pattern  p,  fresh  with  respect  to  any  given  set  of  variables,  such 
that  pexpand5(p)  is  defined. 

3.  The  recurrence  for  expansion  uniquely  determines  it  as  a  total  function  up  to  a- 
equivalence. 

Proof,  The  first  part  is  by  induction  on  S.  The  second  and  third  parts  are  by  induction 
on  the  type  subscript,  using  the  first  part  to  ensure  that  the  result  of  expBnd^gy{R)  is  unique 
up  to  a-equivalence.  Cl 


4.3  On  decidability 

The  next  few  meta-theoretic  observations  are  on  the  decidability  of  the  fundamental  oper¬ 
ators  and  judgments  of  the  theory.  We  begin  with  equality.  Recall  that  equality  is  totally 
independent  of  typing  and  is  syntax  directed. 

Theorem  6  (Decidability  of  equality)  1.  Given  Ri  andR2,  it  is  decidable  whether 
Ri  =  R2- 

2.  Given  Ny  and  N2}  it  is  decidable  whether  Ni  =  N2. 

3.  Given  My  and  M2,  it  is  decidable  whether  M\  =  M2. 
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4.  Given  Ej  and  E2,  it  is  decidable  whether  E\=cE2- 

5.  Given  E\  and  E2,  it  is  decidable  whether  E\  =  E2- 

6.  Given  P\  and  P2,  it  is  decidable  whether  Pi  =  P2. 

Proof.  The  proof  is  by  simultaneous  structural  induction  on  the  subjects  of  the  judgments. 
The  judgments  have  been  placed  in  the  proper  order  of  precedence  in  view  of  the  trivial 
coercions  from  P  to  iV  to  M  to  E.  For  example,  Ri  =  R2  is  below  Ni  =  N2  only  if  each 
of  Pi  and  P2  is  a  subterm  of  either  Ni  or  N2,  but  Ni  =  N2  is  below  Pi  =  P2  only  if  each 
of  Ni  and  N2  is  a  strict  subterm  of  either  Pi  or  P2.  In  the  case  of  Ei  =c  E2  it  suffices  to 
note  that  any  E2  can  be  decomposed  as  e\E!^  in  only  finitely  many  ways.  □ 

The  next  theorems  are  on  the  decidability  of  instantiation  and  expansion.  Instantiation 
and  expansion  are  both  syntax  directed  and  terminate  on  arbitrary  terms  and  type  sub¬ 
scripts.  There  is  no  requirement  that  the  terms  or  type  subscript  be  valid  or  that  the  type 
subscript  have  any  particular  relationship  to  the  terms.  The  proofs  are  immediate  by  the 
same  induction  schemes  as  for  the  definability  theorems. 

Theorem  7  (Decidability  of  instantiation) 

It  is  decidable  whether  any  instance  of  the  instantiation  and  matching  operators  is  defined, 
and  if  so,  it  can  be  effectively  computed. 

Theorem  8  (Decidability  of  expansion)  1.  Given  S,  a  pattern  p  can  be  effectively 
computed  such  that  pexpand£'(p)  is  defined  and  can  be  effectively  computed.  The  pat¬ 
tern  p  can  be  chosen  fresh  with  respect  to  any  given  set  of  variables. 

2.  Given  A  and  R,  the  result  o/expand^(P)  can  be  effectively  computed. 

The  fact  that  instantiation  and  equality  are  decidable  leads  directly  to  the  decidability 
of  typing  in  the  framework,  since  the  typing  rules  are  syntax  directed  and  appeal  only  to 
instantiation  and  equality. 

Lemma  9  (Unicity  of  inference)  1.  There  is  a  partial  function  typeof(r;  A  I-  P) 
such  that  whenever  F;  A  h  P  j4  holds,  A  =  typeof(r;  A  h  P).  Given  F,  A,  and 
R,  it  is  decidable  whether  typeof(F;  A  h  P)  is  defined,  and  if  so,  it  can  be  effectively 
computed. 

2.  There  is  a  partial  function  kindof(F  h  P)  such  that  whenever  F  h  P  =»  PT  holds, 

K  =  kindof(F  I-  P).  Given  F  and  P,  it  is  decidable  whether  kindof(F  h  P)  is  defined, 
and  if  so,  it  can  be  effectively  computed. 

Proof.  Immediate  by  the  facts  that  typing  is  syntax  directed,  instantiation  is  a  partial 
function,  and  instantiation  is  computable. 

Lemma  10 

Suppose  that  for  all  F'  and  A'  it  is  decidable  whether  F';  A'  I-  P  5.  Then  it  is  decidable 
whether  F;  A;  h  P  <—  S'. 

Proof.  The  induction  is  on  the  number  of  type  constructors  in '5'.  O 

Theorem  11  (Decidability  of  typing)  l.  GivenT,  A,  R,  and  A,  it  is  decidable  whether 
F;  A  h  P  =►  i4. 
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Given  F,  A,  N,  and  A,  it  is  decidable  whether  N  <=  A. 

3.  Given  F,  A,  M,  and  5,  it  is  decidable  whether  F;  A  h  M  <=  5. 

4.  Given  F,  A,  E,  and  S,  it  is  decidable  whether  T]  A  \-  E  S . 

5.  Given  F,  P,  and  K,  it  is  decidable  whether  T  P  K. 

6.  Given  F  and  A,  it  is  decidable  whether  T\-  A  <=  type. 

7.  Given  F  and  K,  it  is  decidable  whether  T\-  K  <=  kind. 

8.  Given  E,  it  is  decidable  whether  t-  S  ok. 

9.  Given  T,  it  is  decidable  whether  h  F  ok. 

10.  Given  F  and  A,  it  is  decidable  whether  F  h  A  ok. 

11.  Given  F  and  it  is  decidable  whether  F  h  ^  ok. 

Proof.  The  proof  is  by  structural  induction  on  the  subject  of  each  judgment.  In  order  to 
decide  F;  A  h  P  <=  P,  we  test  whether  typeof(F;  A  h  P)  is  atomic,  typeof(F;  A  h  P)  =  P, 
and  F;  A  h  P  =>  typeof(F;  A  h  P).  In  order  to  decide  F;  A  h  P  TV*  >1,  we  first  test 
whether  typeof(F;  A  h  P)  =  Ux  .B.  C  for  some  B  and  C,  whether  F;  A  I-  P  UxiB.C, 
whether  F;  ‘  I-  iV  P,  and  finally  whether  inst^aB(5c.  C,  AT)  =  A.  In  order  to  decide 
F;  A  h  let  {p}  =  P  in  P  ^  5  there  is  an  appeal  to  the  lemma.  Similar  comments  apply 
in  other  cases.  In  order  to  decide  multiplicatives,  it  suffices — efficiency  concerns  aside — ^to 
test  every  possible  decomposition  of  the  linear  context  A  into  Ai,  A2.  □ 

It  is  characteristic  of  this  approach  to  the  type  theory  that  such  decidability  theorems 
can  be  proved  before  any  of  the  other  meta- theory  is  developed,  and  that  they  do  not 
depend  in  any  way  on  the  various  terms  involved  being  valid.  The  most  important  reason 
is  that  every  judgment  and  algorithm  of  the  theory  is  syntax  directed. 

4.4  Composition 

A  novel  element  of  the  meta-theory  is  the  need  for  composition  theorems  for  the  instantiation 
and  expansion  operators.  These  correspond  to  the  usual  categorical  axioms  of  left  and  right 
identity  and  associativity  (slightly  modified  because  we  instantiate  a  single  variable  at  a 
time  rather  than  all  free  variables).  In  a  language  admitting  non-canonical  forms  these  are 
trivial,  since  the  identity  principle  is  witnessed  trivially,  and  there  is  a  composition  law  for 
syntactic  substitution: 

[Mi/x,][M2/x2]Ms  =  [[Mi/a:i]M2][Mi/xi]M3 

The  main  theorem  of  this  section  is  a  corresponding  law  for  instantiation.  We  begin 
with  a  number  of  lemmas. 

Lemma  12  (Trivial  instantiation)  1.  Ifx  ^  FV(P),  then  inst_r>i(rc.  P,  No)  =  P. 

2.  Ifx^  FY{N)j  then  inst_nyi(x.  N,  Nq)  =  N. 

3.  Ifx^  FV(M),  then  inst_m^(a:.  M,  No)  =  M. 

4.  Ifx  ^  FV(£?),  then  inst_e>i(a:.  £?,  No)  =  E. 

5.  Ifx  ^  FV(P),  then  inst-p^(x.  P,  No)  =  P. 

6.  If  X  ^  FV(P),  then  inst^a4(x.  P,  No)  =  B. 
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7.  Ifx  ^  FV(S'),  then  inst-s>i(a;.  S,  No)  =  S'. 

8.  Ifx^  FViK),  then  inst_k,i(®.  K,  Nq)  =  K. 

Proof.  A  straightforward  induction  on  the  first  argument.  □ 

Lemma  13 

If  inst-r4(x.  R,  No)  is  defined,  then  head(inst-ryi(x.  R,  No))  is  head(/?). 

Lemma  14 

Ifx  and  y  are  distinct,  treduce^iCx.  R)  =  A',  and  inst.rB(y.  R,  No)  is  defined,  then 

treduce4(x.  inst.rB(j/.  R,  No))  =  A'. 

Lemma  15 

The  free  variables  in  a  term  resulting  from  instantiating  x  with  No  are  a  subset  of  the  free 
variables  of  the  original  term,  excepting  X. 

The  free  variables  in  a  term  resulting  from  matching  p  with  Eq  or  Mo  are  a  subset  of 
the  free  variables  of  the  original  term,  excepting  the  variables  of  p. 

Note  that  the  following  theorem  holds  without  assuming  that  the  terms  involved  are 
well-typed. 

Theorem  16  (Composition  of  instantiations) 

Suppose  that  x  and  y  are  distinct  or  x  ^  FV(p),  and  y  ^  FV(7Vo)  or  FV(p)  n  FV(iVb)  is 
empty,  as  the  case  may  be.  For  each  of  the  following  equations,  if  the  inner  instantiations 
are  defined,  then  the  outermost  instantiations  on  each  side  are  both  defined  and  are  a- 
equivalent. 

1.  reduceyj„(i.inst_r^(j/.Hi,iV2),No)  =  inst.n,i(y.reduce^„(x.fli,iVo),instJiyi„(x.N2,No)) 

2.  inst-nyi„(x.  reduce >1(1/. /?!, ^2), No)  =  reducey4(2/.inst_r/i„(x.i?i,No),inst_n/i(,(x.N2,iV())) 

3.  inst.ryi„(x.instJ-^(y./ii,N2),No)  =  inst.r4(y.inst.r^„(x. /ii,No),inst.n^„(x.N2,iVo)) 

4.  inst.nyi„(x.inst-nyi(j/.  Ni,N2),No)  s  inst-ny4(y.inst-nyi„(x.Ni,No),inst-n^„(x.N2,No)) 

5.  inst-m/i„(x.  instJTi>i(2/.  Mi ,  N2),  No)  =  inst.m4(j/.  inst.m^,i(x.  Mi,  No),  inst-n^„(x.  N2,  No)) 

6.  inst_e>i„(x.  instje>i(j/.  Ei, N2), No)  =  inst_e>i(j/.  inst-ey4||(x.  Ei, No),  inst_nj4„(x.  N2, No)) 

7.  inst-e,4„(x.  m3tch_ms(p.  Ni,  M2),  No)  =  rtiatch_m5(p.  inst_ejii„(x.  Ei,  No),  inst-mj4o(®.  M2,  No)) 

8.  inst.e,4o(x.  match.e5(p.  E\,  E2),  No)  =  match.e,4(p.  inst.e,4„(x.  Ei,  No),  inst_e>i„(x.  E2,  No)) 

9.  match_ms„ (po.  match.es(p.  Ei ,  E2),  Mo) 

=  match-e5(p.  match-mso  (po-  Ei,  Mo),  match-ms„  (po-  E2,  Mo)) 

10.  match_es„(po.  match_es(p. £1,  F2), JE/o)  =  match_e5(p. Fi,  rnatch.e5„(po.  F2, Fo)) 

(Supposing  no  variable  bound  by  po  is  free  inEi.) 

11.  inst.p^„(x.inst.p^(y.Pi,N2),No)  =  inst-p^(y.inst.p^„(x.Pi,No),inst.nAo(a:.N2,No)) 

12.  inst_a/i„(x. inst-a>i(j/. Ai, N2), No)  =  inst_a/i(y. inst_a^n(x.  Ai,No), inst-n>i„(x. N2,No)) 

13.  inst-Sy(o(2^- Si, N2), No)  =  inst-S4(j/. inst-s^o(3^-Si,No),inst_n>i„(x. N2,No)) 

14.  inst.k^„(x.  instJ<^(y.  Ni,  N2),  No)  s  inst-k>i(y.  inst.kAo(a:.  Ky,  No),  inst-n^„  (x.  N2,  No)) 

Proof.  The  proof  has  many  cases  but  is  straightforward.  D 
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4.5  On  equality 

The  following  theorems  show  that  the  framework’s  equality  is  an  equivalence  relation. 

Theorem  17  (Reflexivity  of  equality)  l.  Given  R,  we  have  R-  R. 

2.  Given  N,  we  have  N  =  N. 

3.  Given  M,  we  have  M  =  M. 

4-  Given  E,  we  have  E  =c  E. 

5.  Given  E,  we  have  E  =  E. 

6.  Given  P,  we  have  P  =  P. 

Proof.  The  proof  is  by  structural  induction  on  the  subject  of  the  judgment.  □ 

Lemma  18 

If  El  =c  (let  {p}  =  R2  in  JSj),  then  Ei  =  e[let  {p}  =  Ri  in  E{]  for  some  Ri,  e  and  E{  such 
that  Ri  —  J?2  o,nd  cIjEJ]  =c  E2.  Furthermore,  no  variable  free  in  Ri  is  bound  in  e. 

Proof.  The  proof  is  by  structural  induction  on  the  derivation  of  the  assumption.  □ 

Theorem  19  (Symmetry  of  equality)  1.  If  Ri  =  R2,  then  R2  = 

2.  If  Ni  =  N2,  then  N2  =  Ni. 

3.  If  Ml  =  M2,  then  M2  =  Mi. 

4.  If  El  =c  E2,  then  E2  =c  Ei. 

5.  If  El  =  E2,  then  E2  =  Ei. 

6.  If  Pi  =  P2,  then  P2  =  Pi. 

Proof.  The  proof  is  by  structural  induction  on  the  second  subject  of  the  assumed  equality. 
In  the  case  Ej  =c  (let  {p}  =  R2  in  E2)  we  appeal  to  the  lenuna.  Then  E2  =c  e{Ei]  and 
R2  =  Ri  by  the  induction  hypothesis.  Then  (let  {p}  =  R2  in  E2)  =c  e[let  {p}  =  Rj  in  E'.^  = 
El  by  an  inference  rule.  D 

In  order  to  prove  the  transitivity  of  concurrent  equality,  we  first  need  to  consider  a  few 
trivial  properties  of  concurrent  contexts  (somewhat  tedious  to  prove  syntactically). 

Lemma  20 

If  e(Ei]  =  e[E2],  then  Ei  =  E2. 

Proof.  The  result  follows  by  induction  on  e.  □ 

Lemma  21 

If  ei[E]=  e2\E\,  then  ei  =  e2. 

Proof.  The  result  follows  by  induction  on  61 .  □ 

Lemma  22 

Suppose  that  no  variable  free  in  R  is  bound  in  €2-  If  ei[Ei]  =  €2[l6t  {p}  =  i?  in  E2],  then 
either 

1.  ei  =  e2(let  {p}  =  R  in  e')  for  some  e',  or 
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2.  El  =  e'[let  {p}  =  R  \n  for  some  e'. 

Proof.  The  result  follows  by  induction  on  €i.  □ 

Now  we  prove  a  general  inversion  principle  for  concurrent  equality. 

Lemma  23  (Inversion  principle  for  concurrent  equality) 

Suppose  that  no  variable  free  in  Ri  is  bound  by  ej.  Tf  £i{let  {p}  =  Ri  in  E'f\  =c  ■®2j  then 
E2  =  C2[let  {p}  =  i?2  in  £^2]  some  C2,  R2,  and E^  such  that  Ri  =  R2  and €i{E{]  =c  €2(^2]  • 
Furthermore,  no  variable  free  in  R2  is  bound  fry  €2  • 

Proof.  The  result  follows  by  induction  on  €1 .  Cl 

Now  we  can  prove  the  transitivity  theorem  itself. 

Theorem  24  (Transitivity  of  equality)  1.  IfR\  =  R2  andR2  =  R3,  thenRi  =  R3. 

2.  If  Ni  =  N2  and  N2  =  N3,  then  Ni  =  N3. 

3.  If  Ml  =  M2  and  M2  =  M3,  then  Mi  =  M3. 

4-  If  El  =c  E2  and  E2  =c  E3,  then  Ei  =c  E3. 

5.  If  El  =  E2  and  E2  =  E3,  then  Ei  =  E3. 

6.  If  Pi  =  P2  and  P2  =  P3,  thsn  Pi  =  P3. 

Proof.  The  proof  is  by  structural  induction  on  the  derivation  of  the  first  assumption.  For 
the  part  involving  concurrent  equality  we  appeal  to  the  inversion  principle.  □ 

It  is  the  restriction  to  canoniceil  forms  inherent  in  the  syntax  of  CLF  that  makes  it 
possible  to  define  equality  and  prove  such  a  result  vidthout  any  reference  to  the  typing 
judgments. 

Now  we  go  on  to  show  that  all  of  the  primitive  operators  and  judgments  of  the  the¬ 
ory  factor  through  the  equivalence  relation  on  well-typed  terms  induced  by  the  equality 
judgment.  (Recall  that  we  do  not  ascribe  any  particular  meaning  to  the  equality  judgment 
unless  the  terms  involved  are  well- typed.)  This  licenses  us  to  think  of  them  as  being  defined 
on  the  equivalence  classes. 

First,  however,  we  introduce  a  stronger  version  of  concurrent  equality,  needed  to  stage 
the  proofs.  Strong  concurrent  equality  only  allows  rearranging  let  bindings  at  the  top  level 
structure  of  an  expression,  rather  than  deep  within  it. 

Definition  16  (Strong  concurrent  equality) 

El  =s  E2  (Strong  concurrent  equality] 

_ El  =s  6(^2] _ ^ 

M  =s  M  (let  {p}  =  i?  in  Ei)  =s  e[let  {p}  =  R  in  P2] 

Again  the  rule  marked  (*)  is  subject  to  the  side  condition  that  no  variable  bound  by 
p  be  free  in  the  conclusion  or  bound  by  the  context  e,  and  that  no  variable  free  in  R  be 
bound  by  the  context  e.  We  have  that  strong  concurrent  equality  is  reflexive,  symmetric, 
and  transitive,  by  essentially  the  same  arguments  as  for  the  original  concurrent  equality. 

Theorem  25 

Strong  concurrent  equality  is  an  equivalence  relation. 
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Strong  concurrent  equality,  as  the  name  suggests,  is  a  special  case  of  concurrent  equality. 
This  follows  from  the  reflexivity  of  framework  equality. 

Theorem  26 

If  El  =s  then  Ei  =c  E2- 

We  also  have  the  following  lemmas. 

Lemma  27 

Given  S,  p,  E,  e,  and  Eq,  we  have  match-e5(p.  e[£?o])  =  e[match^e5(p.  £?,  Eo)],  supposing 
one  or  the  other  side  is  defined. 

Proof.  The  result  follows  by  induction  on  e.  □ 

Lemma  28 

Suppose  that  p  and  p'  bind  disjoint  variables,  and  no  variable  free  in  R  is  bound  by  p,  and 
no  variable  free  in  Eq  or  Mq  is  bound  by  p'.  Then  the  following  equations  hold,  assuming 
one  or  the  other  side  is  defined. 

1.  match^m5(p.  let  {p'}  =  R  in  E,  Mq)  =  (let  {p'}  =  R  in  match>m5(p.  E,  Mq)) 

2.  match-e5(p.  let  {p'}  =  R  in  E,  Eo)  —s  (let  {p'}  =  R  in  match_e5(p.  E,  Eq)) 

Proof.  The  first  part  follows  by  induction  on  5,  and  then  the  second  part  follows  by 
induction  on  jEo-  □ 

Lemma  29 

Suppose  that  pi  and  p2  bind  disjoint  variables,  and  that  no  variable  free  in  Ei  is  bound 
by  p2,  and  no  variable  free  in  E2  is  bound  by  pi.  Then 

match.e^i  (pi •  match..e52  (P2-  E,  E2),  Ei)  =s  match.esj (p2.  match.esi (pi .  E,  Ei),  E2) 

as  long  as  one  or  the  other  side  is  defined. 

Proof.  The  proof  is  by  induction  on  Ei .  In  the  case  Ei  =  Mi  we  appeal  to  the  composition 
law  for  instantiation.  Otherwise  we  appeal  to  the  preceding  lemma.  □ 

The  utility  of  strong  concurrent  equality  is  that  the  following  theorem  can  be  proved 
immediately. 

Theorem  30 

In  each  of  the  following  cases,  the  resulting  equality  holds  assuming  that  one  side  or  the 
other  is  defined. 

1.  If  no  variable  free  in  R  is  bound  by  e,  and  e  and  p  bind  disjoint  sets  of  variables,  then 
inst-e>i(x.  let  {p}  =  R  \n  €[E],No)  =s  inst_e/i(x.  e(let  {p}  =  i?  in  E],No). 

2  jj  inst-e>i(a:.  E,  Nq)  =s  inst-eyi(a:.  R,  Nq). 

3.  If  E  =s  R,  then  match_m5(p.  E,  Mq)  =s  match_m5(p.  R,  Mq). 

4.  If  E  =s  R t  then  match..es(p.  E,  Eq)  =s  match_e5(p.  E',  Eq). 
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Proof.  The  proof  is  by  an  outer  induction  on  the  type  subscript.  The  first  part  also 
uses  an  inner  induction  on  e,  the  second  part  uses  an  inner  induction  on  the  derivation 
of  E  =s  E',  and  the  last  part  uses  an  inner  induction  on  Eq.  til 

We  are  now  in  a  position  to  prove  the  “functionality”  of  instantiation  with  respect  to 
equivalence  classes  modulo  the  framework’s  equality.  We  extend  equality  to  types  and  kinds 
by  the  natural  congruence  rules. 

Theorem  31  (Functionality  for  instantiation) 

In  each  of  the  following  cases,  the  resulting  equality  holds  assuming  that  one  side  or  the 
other  is  defined. 

1.  IfR  =  R'  and  Nq  =  Nq,  then  reduce>i(a;.  R,  Nq)  =  reduceyi(a:.  R',  Nq). 

2.  If  R  =  R'  and  Nq  -  Nq,  then  inst.rx(x.  R,  Nq)  =  inst.r^(x.  R',  Nq). 

3.  IfN  =  N'  and  Nq  =  Nq,  then  inst-nyi(x.  N,  Nq)  =  inst-nyi(x.  N',  Nq). 

4.  IfM  =  M'  and  Nq  =  Nq,  then  inst_m4(x.  M,  Nq)  =  inst.m^(x.  M',  Nq). 

5.  If  E  =  E'  and  Nq  =  Nq,  then  inst-e>i(x.  E,  Nq)  =  inst.e^(x.  E',  N(f). 

6.  IfE  =  E'  and  Mq  =  Ml,,  then  match.m5(p.  E,  Mq)  =  match.ms(p.  E',M[f). 

7.  //F  =  E'  and  Eq  =  E'q,  then  match-es(p.  E,  Eq)  =  match.es(p.  E',  E'q). 

8.  If  P  =  P'  and  Nq  =  N'q,  then  inst-p^(x.  P,  Nq)  =  inst-p^(x.  N^f). 

9.  If  B  =  B'  and  Nq  =  N^,  then  inst.a^(x.  B,  Nq)  =  inst-a^(x.  B',  iV^). 

10.  IfS  =  S'  and  Nq  =  A/q,  then  inst_Syi(x.  S,  Nq)  =  inst-s^(x.  S',  Nq). 

11.  IfK  =  K'  and  Nq  =  then  inst-k^(x.  K,  Nq)  =  inst.k^(x.  K',  N^,). 

Proof.  The  proof  is  by  an  outer  induction  on  the  type  subscript  and  an  inner  simultaneous 
induction  on  the  derivations  of  the  two  assumed  equalities. 

In  most  cases  the  result  follows  immediately  by  congruence  rules.  The  critical  parts  are 
the  ones  given  by  induction  over  expressions.  For  match_es(p.  E,  Eq)  =c  match.es(p.  E',  E'q) 
we  appeal  to  Lemma  27. 

For  inst.eyi(x.  E,Nq)  =c  inst.e/i(x.  E',  Nq)  we  reason  as  follows.  If  E  =  M,  the  result 
is  immediate  by  the  induction  hypothesis.  Otherwise  E  =  (let  {p}  =  R  m  Ei),  E'  = 
e[let  {p}  =  R’  in  E[],  R  =  R',  and  =c  e[E'^].  Then 

inst_e^(x.  Ei,  Nq)  =c  inst_e/i(x.  €[Fi],  Nq) 

by  the  induction  hypothesis.  It  follows  that 

inst-eA(x.  let  {p}  =  P  in  Fi,  Wo)  =c  inst_eyt(x.  let  {p}  =  R'  in  e[F(],  Nq) 

by  another  appeal  to  the  induction  hypothesis.  But  by  the  preceding  theorem, 

inst-eyi(x.  let  {p}  =  R'  in  e[Wj],  Nq)  =s  inst.e/i(x.  e[let  {p}  =  R'  in  E'^],  Nq). 

The  result  then  follows  by  transitivity.  ^ 

A  similar  result  holds  for  the  expansion  operator. 
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Theorem  32  (Functionality  for  expansion) 

If  R  =  R j  then  expand^(i?)  =  expand^ (J2'). 

Proof.  The  proof  is  by  induction  on  A,  □ 

The  functionality  of  instantiation  immediately  leads  to  a  similar  result  for  the  typeof 
and  kindof  operators  of  Lemma  9.  We  extend  equality  to  contexts  and  signatures  in  the 
obvious  way. 

Lemma  33 

//  E  =  E',  r  =  r',  and  A  =  A',  then  typeof (F;  A  bu  fi)  =  typeof  (F';  A'  hj]/  R)  and 
kindof(F  P)  =  kindof (F'  P),  supposing  one  or  the  other  side  is  defined. 

It  is  characteristic  of  the  syntax-directed  approach  that  the  following  theorem  holds  even 
when  the  contexts,  etc.  axe  not  valid. 

Theorem  34  (Type  conversion) 

Suppose  that  E  =  E',  F  =  F^,  A  =  A',  A  =  A^ ,  and  5  = 

1.  F;  A  l-s  ^  typeof(F;  A  bs  R)  iffR\  A'  hs'  R  =»  typeof(F';  A'  P). 

2.  F;  A  Hs  iV  4=  A  iffT';  A'  N<=A'. 

3.  F;  A  hs  M  <=  S  iffT;  A'  M  5'. 

I  F;  A  bs  P  5  iffT^]  A'  E<r-S\ 

5.  F  P  =»  kindof(F  hE  P)  iffr  hs/  P  ^  kindof(F'  bj:/  P). 

6.  T  A  <=  type  iffT'  A  <=  type. 

7.  F  hs  S  <^=  type  iffT^  He/  5  <=  type. 

8.  F  He  PT  4=  kind  iffV  He'  K  ^  kind. 

Proof.  The  theorem  is  proved  by  induction  over  the  assumed  typing  derivation,  using 
Lemma  9.  □ 

4.6  On  typing 

Now  we  can  go  on  to  prove  the  substitution  and  identity  principles  for  CLF,  and  that  they 
are  witnessed  by  the  instantiation  and  expansion  operators.  The  instantiation  operators  are 
extended  to  contexts  in  the  obvious  way.  Again,  the  theorem  holds  even  when  the  contexts 
are  not  valid. 

Theorem  35  (Substitution  principles) 

//Fl;  •  y  No  <=  a  is  derivable,  FL,aj:A,FR;  A  H  iV  ^  C  is  derivable,  inst_ayi(a:.  Fr,  iVo)  = 
Fj^,  inst_a>i(a;.  A,  Nq)  =  A',  and  inst-ayi(x.  C,  No)  =  C",  the  following  hold: 

1.  The  instantiation  inst-n^(a:.iV,  ATo)  is  defined. 

2.  The  judgment  Fl,  Fj^;  A'  H  inst_n>i(x.  N,  No)  <=  C  is  derivable. 

//F;  A]  \-  No  <=  A  and  F;  A2,x^A  H  iV  <=  C  are  derivable,  the  following  hold: 

1.  The  instantiation  N,  Nq)  is  defined. 
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2.  The  judgment  T;  Ai,  A2  I-  inst_n^(a;.  N,  No)  <=  C  is  derivable. 

This  result  is  mutually  dependent  on  many  other  substitution  theorems  for  the  other 
syntactic  categories.  Space  considerations  preclude  the  incorporation  of  the  proof  here.  It 
is  notable  that  although  the  theorem  as  a  whole  does  not  assinne  the  contexts  are  valid, 
in  each  case  “just  enough”  information  about  the  validity  of  various  terms  is  available  in 
order  to  make  the  induction  go  through. 

Note  that  the  presence  of  the  type  subscript  to  the  instantiation  operators  is  redundant 
if  the  objects  involved  are  known  to  be  well  typed,  since  the  types  generated  as  reduce 
decomposes  a  well-typed  object  will  always  be  what  they  are  required  to  be.  An  optimized 
type  checker  can  take  advantage  of  this  by  staging  the  process  of  type  checking  so  that  it 
is  an  invariant  that  whenever  an  instantiation  is  applied  the  objects  involved  are  known 
to  be  well  typed.  The  fact  that  this  is  possible  is  evident  upon  examination  of  the  flow  of 
information  through  the  typing  rules. 

The  following  theorem  can  be  proved  by  a  simple  structural  induction. 

Lemma  36  (Expansion) 

IfT■,A\-R=>AthenT^,A\-e:xpsndy^{R)<=A. 

As  an  immediate  corollary,  we  have  the  following  identity  property. 

Theorem  37  (Identity  principles) 

Any  instance  0/  T,  a: :  A;  ■  h  expand^(a:)  <=  A  or  T;  x^A  h  expand^(x)  <=  A  is  derivable. 

It  is  worth  recalling  that  the  substitution  and  identity  principles  are  are  needed  to  ensure 
that  the  type  theory  makes  sense,  since  the  syntatic  restrictions  inherent  in  CLF  make  it 
impossible  to  generate  proofs  of  A  A  or  to  compose  proofs  of  A B  and  B  C  in  any 
other  way. 

4.7  Related  work 

With  one  exception  [Fel91],  prior  presentations  of  LF  and  LLF  have  been  based  on  a  syntax 
in  which  not  every  term  is  canonical.  A  difSculty  is  that  equality  cannot  then  be  axiomatized 
in  a  manifestly  decidable,  syntax-directed  way.  In  their  original  presentation  of  LF,  Harper 
et  al.  define  equality  in  terms  of  /3-convertibility,  and  do  not  address  rj-conversions  [HHP93]. 
Strong  normalization  ensures  that  this  notion  of  equality  is  decidable.  However,  the  t]- 
conversions  pose  a  special  difficulty  because  of  the  lack  of  confluence  for  /37y-reduction  in 
the  case  of  non- well-typed  terms.  Since  LF  typing  is  dependent  on  equality,  the  attempt  to 
define  an  equality  based  on  /37/-reduction  leads  to  a  Catch-22. 

Coquand  [Coq91]  tests  )07/-convertibility  in  LF  using  untyped  /3-reduction  and  exten- 
sionality,  which  is  applied  when  comparing  a  A-abstraction  to  a  non-abstraction.  However, 
this  method  fails  when  a  unit  type  is  present— as  in  LLF— because  it  may  be  necessary 
to  apply  extensionality  even  when  neither  of  the  terms  being  compared  is  a  manifest  umt 
introduction. 

Cervesato’s  presentation  of  LLF  avoids  the  ?j-co aversion  problem  by  restricting  the  syn¬ 
tax  to  Tj-long  terms  [Cer96].  The  equality  of  the  framework  is  still  defined  in  terms  of 
/3-reduction.  This  is  possible  because  the  ;5-reducts  of  7/-long  terms  are  77-long. 

Goguen  proposes  an  elegant  theory  based  on  a  typed  notion  of  reduction  [Gog94,  Gog99] . 
An  operational  semantics  based  on  this  typed  reduction  is  then  shown  to  be  decidable,  and 
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equivalent  to  a  (not  manifestly  decidable)  axiomatization  of  equality  from  first  principles 
such  as  extensionality.  However,  being  based  on  7?-reduction,  this  approach  does  not  decide 
equality  by  an  analysis  of  canonical  forms,  which  are  ry-long.  This  conflicts  with  the  LF  rep¬ 
resentation  methodology,  which  emphasizes  the  primacy  of  canonical  forms  in  constructing 
representations  and  proving  their  adequacy. 

Ghani  [Gha97]  uses  a  typed  rewriting  relation  similar  to  Goguen’s  operational  semantics 
but  with  r^-expansion  rather  than  77-reduction.  This  leads  to  a  more  pleasant  theory,  espe¬ 
cially  given  that  normal  forms  with  respect  to  Ghani’s  rewrite  rule  are  canonical.  Harper 
and  Pfenning  [HPOO]  also  adopt  an  approach  similar  to  Goguen^s,  in  that  equality  is  defined 
axiomatically  and  shown  to  be  equivalent  to  a  decision  procedure.  Their  method  improves 
on  Goguen’s  in  that  the  decision  procedure  is  based  on  transforming  a  pair  of  terms  simul¬ 
taneously  into  canonical  form.  It  offers  the  further  advantage  that  the  transformation  into 
canonical  form  is  incremental  and  can  be  aborted  as  soon  as  it  is  evident  that  the  canonical 
forms  of  the  two  terms  being  compared  will  not  be  the  same,  an  important  concern  for 
efficient  implementation. 

Felty  has  described  a  canonical  LF  in  which  only  canonical  forms  are  well-typed  [Fel91]. 
This  offers  a  number  of  advantages  over  other  approaches:  equality  itself  need  not  be  ax- 
iomatized  at  all,  because  terms  are  equal  just  when  they  are  identical  (up  to  a-equivalence). 
And  the  representation  methodology  has  an  attractive  simplicity:  one  establishes  a  compo¬ 
sitional  bijection  between  object-language  terms  and  LF  objects  of  a  given  type.  One  need 
not  restrict  the  range  of  the  bijection  to  “canonical  LF  terms”  because  every  term  in  canon¬ 
ical  LF  is  “canonical.”  However,  Felty’s  development  falls  back  on  untyped  )0-reduction 
in  order  to  define  the  typing  judgment  on  canonical  terms,  so  a  syntax  of  non-canonical 
terms  ends  up  being  reintroduced  after  all,  and  strong  normalization  and  confluence  for  the 
non-canonical  forms  must  be  proved.  Thus,  the  canonical  language  cannot  be  considered 
foundational. 

Relative  to  these  prior  developments,  a  contribution  of  this  work  is  to  elaborate  a  foun¬ 
dation  for  LF  and  LLF  that  preserves  the  attractive  features  of  Felty’s  canonical  LF,  while 
eliminating  entirely  its  dependence  on  non-canonical  terms  and  /^-reduction,  in  favor  of  a 
instantiation  operator  taking  canonical  terms  into  canonical  terms.  The  key  observation  is 
that  the  instantiation  operator  can  be  defined  in  a  manifestly  terminating,  syntax-directed 
way,  even  over  ill-typed  terms.  This  essentially  eliminates  the  mutual  dependence  of  typing 
and  equality — since  extensionality  principles  depend  on  typing — ^that  is  inherent  in  Goguen’s 
or  Harper  and  Pfenning’s  work.  However,  it  is  important  to  stress  that  this  approach  pro¬ 
vides  only  a  foundation.  An  efficient  implementation  would  need  to  reintroduce  defined 
constants  and  explicit  substitutions,  each  of  which  would  make  the  equality  on  the  LF  frag¬ 
ment  non-trivial  again.  But  in  contrast  to  previous  approaches,  the  framework  is  defined 
without  any  reference  to  such  “non-canonical”  forms:  it  can  scale  up  to  include  them,  but 
its  foundation  is  independent  of  them. 

5  Conclusion 

We  have  seen  that  representations  of  concurrent  systems  can  be  succinctly  and  straight¬ 
forwardly  constructed  using  a  logical  framework  with  a  notion  of  equality  that  models 
concurrency.  We  have  shown  that  the  framework  is  decidable  and  investigated  its  meta¬ 
theory.  We  hope  that  the  result  of  this  work  will  be  a  concrete  language  in  which  it  is  as 
unnecessary  to  specify  or  think  about  the  low-level  mechanics  of  the  representation  of  con- 
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current  computations  as  it  would  be  to  specify  or  think  about  matters  of  a-conversion  and 
capture-avoiding  substitution  in  LF.  Furthermore,  it  is  to  be  hoped  that  the  direct,  modular 
and  scalable  account  of  the  type  theory  proposed  here  will  provide  a  solid  foundation  for 
future  explorations  within  the  LF  family  of  frameworks,  of  ideas  such  as  proof  irrelevance 
and  ordered  hypothetical  judgments. 

A  Syntax  and  judgments  of  CLF 

A.l  Syntax 

Definition  17  (Type  constructors) 


A,B,C::=A-oB\Ux:A.B\AkB\T\{S}\P 

P::=a\PN 

S'::=5i(8>52  1  1  1  3a;:A.5|  A 

Asynchronous  types 
Atomic  type  constructors 
Synchronous  types 

Definition  18  (Kinds) 

K,L  ::=  type  |  IIx:  A.  K 

Kinds 

Definition  19  (Objects)  , 

N  ::=  %x.N  \Xx.N\  {Ni,  N2)  |(>  |  {E}  |  ii 
R:-.=  c\x\R^N\RN\xiR\Tr2R 

E  ::=  let  {p}  =  i?  in  E  |  M 

M  ::=  Ml  (8>  M2  1  1 1  [N,  M]\N 

Normal  objects 

Atomic  objects 
Expressions 

Monadic  objects 

1 

p::=Pi®P2  1  1 1  [a:>p]  1  ® 

Patterns 

A.  2  Equality 

Definition  20  (Concurrent  contexts) 


c  .  1  let  {p}  =  i?  in  e  Concurrent  contexts 

Definition  21  (Equality) 

El  =c  E2  [Concurrent  equality] 

Ml  =  M2  _ J?i  =  R2  El  =c  e[E2]  ^ 

Ml  =c  M2  (let  {p}  =  Ri  in  Ei)  =c  e(let  {p}  =  R2  in  E2] 

Ei=  E2  ■  [Expression  equality] 

El  =c  E2 
El  =  E2 
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iVj  =  iV2  Ri  =  i?2  Ml  =  Ma  Pi  =  P2  [Other  equalities] 

(All  congruences.) 

The  rule  marked  (*)  is  subject  to  the  side  condition  that  no  variable  bound  by  p  be  free 
in  the  conclusion  or  bound  by  the  context  e,  and  that  no  variable  free  in  R2  be  bound  by 
the  context  e. 

A.3  Instantiation 

Definition  22  (Instantiation) 

treduce^(a:.  R)  =  B  [Type  reduction] 

treducey((x.  x)  =  A 

treduce>i(a:.  RN)  =  C  if treduceyi(a:.  R)  =  Ily:B.C 
treduceyj(a;.  R^N)  =  C  if  treduceyi(x.  R)  =  B  -oC 
treduceyi(a;.  niR)  =  Bi  if  treduce^(x.  i?)  =  Bi  &  B2 
treduce^(x.  Trail)  =  Ba  if  treduceai(x.  il)  =  Bi  &B2 
reduccyi  (x.  R,  No)  =  N'  [Reduction] 

reduceyii(x.  x,  No)  =  No 

reduceyi(x.  R  N,  No)  =  inst_nj5(y.  N',  inst_nyi(x.  N,  No)) 

if  treduceyi(x.  R)  =  Ily  .B.C  and  reducey4(x.  R,  No)  =  Xy.  N' 
reduceyi(x.  R'^N,  No)  =  inst_nB(2/.  N',  inst_n>i(x.  N,  No)) 

if  treduce^(x.  R)  =  B  -oC  and  reduce/i(x.  R,  No)  =  Xy.  N' 
reduce>i(x.  niR,  No)  =  N{  if  reduce^(x.  R,  No)  =  {N{,  N2) 
reduce^(x.  Trail,  No)  =  N2  if  reduce^(x.  R,  Nq)  =  {N{,  iVg) 
inst.r4(x.  R,  No)  =  R'  [Atomic  object  instantiation] 

inst-r^(x.  c,  Nq)  =  c 

inst.r/i(x.  y,  Nq)  =  y  if  j/  is  not  x 

inst_r/i(x.  R  N,  No)  =  (inst_r^(x.  R,  Nq))  (inst_nyi(x.  N,  Nq)) 
inst.r4(x.  R^N,  No)  =  (inst.r,4(x.  R,  Aro))^(inst.r^(x.  N,  No)) 
inst.ryi(x.  ttiR,  No)  =  Tri(inst-r>i(x.  R,  No)) 
inst_r4(x.  Trail,  No)  =  Tr2(inst_ryi(x.  R,  No)) 

inst_n^(x.  N,  No)  =  N'  [Normal  object  instantiation] 

inst.nyi(x.  Xy.  N,  No)  =  Xy.  inst.nai(x.  N,  No)  if  J/  ^  FV(JVo) 

inst-n^(x.  ^y.  N,  No)  =  Xy.  inst.n>i(x.  N,  No)  if  J/  ^  FV(iVo) 

inst-n/i(x.  {Ni,  iVa),  Nq)  =  (inst_nyi(x.  Ni,  No),  inst_nyi(x.  N2,  No)) 

inst.nyi(x.  {),No)  =  {) 

inst_nyi(x.  {E},No)  =  {inst.e/i(x.  E,  iVo)} 

inst-n>i(x.  R,  No)  =  inst-r/i(x.  R,  No)  if  head(il)  is  not  x 

inst-nyi(x.  R,  No)  =  reduce,4(x.  R,  No)  if  treduce,4(x.  R)  =  P 


A  SYNTAX  AND  JUDGMENTS  OF  CLF 


34 


inst_m^(x.  M,  No)  =  M' 


(Monadic  object  instantiation] 


inst-myi(a:.  Mi  O  M2,  Nq)  =  inst.myi(x.  Mi,  No)  ®  inst_m^(x.  M2,  No) 
inst-myi(a;.  1,  iVo)  =  1 

inst.myi(x.  [N,  M],  No)  =  [inst.n^(x.  N,  Nq),  inst.m4(x.  M,  No)] 
inst_myi(x.  N,  Nq)  =  inst_nyi(x.  N,  No) 

inst.e>i(x.  E,  No)  =  E'  [Expression  instantiation] 

inst_e/i(x.  let  {p}  =  i?  in  E,  No)  =  (let  {p}  =  inst_r/i(x.  R,  No)  in  inst-e^Ca:.  E,  No)) 
if  head(i?)  is  not  x, 
and  FV (p)  n  FV {No)  is  empty 

inst-e,4(x.  let  {p}  =  R  'mE,  No)  =  match.e5(p.  inst.e^(x.  E,  No),  E’) 
if  treduce>i(x.  R)  =  {5},  reduceyi(x.  R,  No)  = 
and  FV(p)  n  FV(iVo)  is  empty 
inst-e>i(x.  M,  No)  =  inst_myi(x.  M,  No) 

match_ms(p.  E,  Mo)  =  E'  [Match  monadic  object] 

match.msi®52(pi  ®  p2.  E,  Mi  (g)  M2)  =  match_ms2(p2- match_ms,(pi  E,  Mi),  M2) 
if  FV (P2)  n  FV(Mi )  is  empty 
match_mi(l.  E,  1)  =  E 

match_m3a;;2i.s([a:,p].  E,  {N,  M])  =  match_ms(p.  inst.e^(x.  E,  N),  M) 
if  FV(p)  n  FV(  V)  is  empty 
match_myi(a:-  E,  N)  =  inst_e/i(x.  E,  N) 

match.es(p.  E,  Eo)  =  E'  [Match  expression] 


match_es(p.  E,  let  {po}  =  Eo  in  Eo)  =  let  {po}  =  Eo  in  match_e5(p.  E,  Eo) 
if  FV(po)  n  FV(E)  and  FV(p)  n  FV(Eo)  are  empty 
match_es(p.  E,  Mo)  =  match_m5(p.  E,  Mq) 


inst_p^(x.  P,  No)  =  P' 
inst-ayi(x.  A,  No)  =  A' 
inst_s>i(x.  S,  No)  =  S' 
inst.kyi(x.  K,  No)  =  K' 


[Atomic  type  constructor  instantiation] 
[Type  instantiation] 
[Synchronous  type  instantiation] 
[Kind  instantiation] 

(Analogous.) 


A.4  Expansion 
Definition  23  (Expansion) 
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expa  nd^  {R)  =  N  [Expansion] 

expandp(i2)  =  R 

expand^_oB(i2)  =  ^x.expandp(ii^(expand^(a:)))  ifa:^FV(J?) 
expandni;/i.B(^)  =  expandpCii  (expand^(x)))  if  x  ^  FV(i?) 
expand^feB(-R)  = 
expand-r(i?)  =  {) 

€xpand{5)(JJ)  =  (let  {p}  =  i?  in  pexpands(p)) 

pexpand5(p)  =  M  [Pattern  expansion] 

pexpand^j^Bj  (pi  ®  P2)  =  pexpandg^  (pi)  (8>  pexpands^  (P2) 
pexpandi(l)  =  1 

pexpand3^.^,s([x,p])  =  [expand^{x),  pexpands(p)] 
pexpand^(x)  =  expand^(x) 

A.5  Typing 

Definition  24  (Signatures  and  contexts) 


r 

A 


=  •  I  E,a:K  j  E,c:j4 
=  •  |r,x:A 
^■\A,x'^A 


Signatures 

Unrestricted  contexts 
Linear  contexts 


$  ; 

::=.|p^5,$ 

Pattern  contexts 

Definition  25  (Typing) 

h  S  ok 

(Signature  validity] 

0 

_L 

P  S  ok  • 
PS, 

Pe  X  kind  P  E  ok  •  Pe  >1  type 

a:K  ok  hS,  c:i4ok 

PsTok 

[Context  validity] 

l-£  r  ok  r  I-j:  -4  <=  type 

Pe  •  ok 

Pe  r,  x:j4  ok 

r  Pe  A  ok 

[Linear  context  validity] 

r  Pe  A  ok  r  Pe  4=  type 

r  Pe  •  ok 

FPe  A,x^2lok 

r  Pe  ok 

(Pattern  context  validity] 

r  Pe  5  <=  type  F  Pe  ok 

r  Pe  P^S,  3'  ok 


r  i-E  •  ok 
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T\-j:K<=  kind  [Kind  checking] 

.  ^  I- A  type  r,a::Ah  Ji:<!=  kind 

r  h  type  <=  kind  F  h  Hx :  A.  X  ^  kind 

r  h-E  A  ^  type  [Type  checking] 

ri-A<=type  r,x:AhB<!=type  F  h  P  =»  type 

-  ri-nx;A.P^type  F  h  P  ^  type 


F  h  P  =»  type 


F  I-  P  4=  type 


=>type^ 


F  I-  A  type  F  I-  B  type 
F  I-  A  -o  B  •^=  type 


FhA^type  FhB<=type  _____  -rp 

F  h  A  &  B  type  F  h  T  <<=  type 

Fh5^type_ 

Fh  {5}  4=  type 

p  ^  typg  [Synchronous  type  checking] 

Fl-5i<^type  F  h  Bz  ^  type  _ 

F  h  5i  ®  S2  <=  type  F  h  1  4=  type 

F  I-  A  •<=  type  F,  x :  A  f-  5  ^  type 
Fh3x;A.S'<^type 

p  p  jp  [Atomic  type  constructor  inference] 

Ff-P=!>nx  :A.A:  F;  •l-iV<^A 
F  h  o  S(a)  “  r\-PN=^\nst.kAix.K,N) 

r  N  <=  A  [Normal  object  checking] 

F,x:A;AhJV^B  F;  A  h  B  ^  P-  P[  =  P 

F;  AI-Ax.iV4=nx:A.B  F;  A  H  B  <!=  P 

F;  A.x'^Ah  Ar<!=B 
- 1 — i— - oI 

F;  A  h  Ax.  TV  <=  A  -o  B 

F;  AI-iVi<=A  F;AhiV2^B  _ 

F;Ah  {Ari,iV2)<!=  A&B  F;  A  h  ()  T 

r;  A  h  B  ^  B 
F;  A  I-  {E}  <=  {5} 

p  l_j,  p  ^  [Atomic  object  inference] 

F;  A  h  B  =>  nx:A.B  F;  •  I- N  <=  A 

F;  •  h  c  =>  S(c)  ^  F;  •  h  X  =J>  F(x)  ^  F;  A  h  B  AT  =i- inst_a>i(x.  B,  Af) 

_ ^  FjAihB^A^B  F;A2f-iV<=A 

F;  x^A  1-  X  =>  A  F;  Ai,  A2  h  R'^N  =?■  B 

F;AhB=>A&B  _  F;AhB=»AfcB 

— T^,  =:  :  7~~  &Ei  T^.  A  I D  D  ^^2 


r-,At-R=s-p'  = 
— r-.AhR^p — 


F;  A  (-  TTiJ?  A 


F;  A  h  7r2J?  B 
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T;  A  l-E  E  ^  5 

F;  Ai  h  il  =»  {5o}  F;  A2;  pt5o  \-  E  S 
F;  Ai,  A2  I-  (let  {p}  =  R'ln  E)  S 

F;  A;  O'  ^2  ^  5 

F;  A  h  S  ^  S' 
F;  A;  •  h  jB  ^  S 

F;  A;  pi^Si,p2^<^2)  ^  ^  E  ^  S 


{}E 


[Expression  checking] 
F;  A  H  M  <{=  S 


F;  A  h  M  S 

[Pattern  expansion] 


F;  A;  Pi  (81  p2^Si  ®  S2, P  ■<- S 

F,  X :  i4;  A;  p^So,  h  E  <—  S 
F;  A;  [x,p](^3x:  A  So, P  ^  S 

F;  A  H2  M  <=  S 


(8>L 


F;  A;  'J'  H  E  <-  S 


IL 


3L 


F;  A;  h  E  ^  S 

F;  A,  x^A,  E<-  S 
F;  A;  xH,  \f  h  E  S 

[Monadic  object  checking] 


F;  Ai  h  Ml  4=  Si  F;  A2  l~  M2  <=  S2 


(8»I 


F;Ai,A2l-Mi®M2-!=Si(8)S2  T;  •  h  1 

F;-f-7V<j=>l  F;AI-M<^  inst^/i(x.  S,  N) 

F;  Ah  [AT.M]  <!=  3x:AS 
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